Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-37603 (GCVE-0-2022-37603)
Vulnerability from cvelistv5 – Published: 2022-10-14 00:00 – Updated: 2025-05-15 14:51
VLAI
EPSS
Summary
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
6 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:21.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/issues/213"
},
{
"name": "FEDORA-2023-86d75130fe",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/"
},
{
"name": "FEDORA-2023-a4f0b29f6c",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/"
},
{
"name": "FEDORA-2023-2e38c3756f",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-37603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T14:51:07.504643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T14:51:37.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-30T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38"
},
{
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107"
},
{
"url": "https://github.com/webpack/loader-utils/issues/213"
},
{
"name": "FEDORA-2023-86d75130fe",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/"
},
{
"name": "FEDORA-2023-a4f0b29f6c",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/"
},
{
"name": "FEDORA-2023-2e38c3756f",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37603",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-08-08T00:00:00.000Z",
"dateUpdated": "2025-05-15T14:51:37.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-37603",
"date": "2026-06-16",
"epss": "0.02046",
"percentile": "0.78647"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.4.2\", \"matchCriteriaId\": \"2D80B42D-76ED-4230-96B9-15EB1830D9E5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.0.0\", \"versionEndExcluding\": \"2.0.4\", \"matchCriteriaId\": \"F4F9E61F-7368-4FB3-9F31-961DE4EC04A1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.0.0\", \"versionEndExcluding\": \"3.2.1\", \"matchCriteriaId\": \"A8197168-0B7C-4BD0-B378-251CAA956A60\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.\"}, {\"lang\": \"es\", \"value\": \"Se ha encontrado un fallo de denegaci\\u00f3n de servicio de expresi\\u00f3n Regular (ReDoS) en la funci\\u00f3n interpolateName en el archivo interpolateName.js en webpack loader-utils 2.0.0 por medio de la variable url en interpolateName.js\"}]",
"id": "CVE-2022-37603",
"lastModified": "2024-11-21T07:15:02.577",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2022-10-14T16:15:12.647",
"references": "[{\"url\": \"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/webpack/loader-utils/issues/213\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/webpack/loader-utils/issues/213\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1333\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-37603\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-10-14T16:15:12.647\",\"lastModified\":\"2025-05-15T15:15:56.750\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado un fallo de denegaci\u00f3n de servicio de expresi\u00f3n Regular (ReDoS) en la funci\u00f3n interpolateName en el archivo interpolateName.js en webpack loader-utils 2.0.0 por medio de la variable url en interpolateName.js\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.4.2\",\"matchCriteriaId\":\"2D80B42D-76ED-4230-96B9-15EB1830D9E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.0.4\",\"matchCriteriaId\":\"F4F9E61F-7368-4FB3-9F31-961DE4EC04A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:webpack.js:loader-utils:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.2.1\",\"matchCriteriaId\":\"A8197168-0B7C-4BD0-B378-251CAA956A60\"}]}]}],\"references\":[{\"url\":\"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/webpack/loader-utils/issues/213\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/webpack/loader-utils/issues/213\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/webpack/loader-utils/issues/213\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\", \"name\": \"FEDORA-2023-86d75130fe\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\", \"name\": \"FEDORA-2023-a4f0b29f6c\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\", \"name\": \"FEDORA-2023-2e38c3756f\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T10:29:21.025Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-37603\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-15T14:51:07.504643Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1333\", \"description\": \"CWE-1333 Inefficient Regular Expression Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-15T14:51:26.620Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38\"}, {\"url\": \"https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107\"}, {\"url\": \"https://github.com/webpack/loader-utils/issues/213\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\", \"name\": \"FEDORA-2023-86d75130fe\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\", \"name\": \"FEDORA-2023-a4f0b29f6c\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\", \"name\": \"FEDORA-2023-2e38c3756f\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2023-03-30T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-37603\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-15T14:51:37.708Z\", \"dateReserved\": \"2022-08-08T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2022-10-14T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
RHSA-2023:3374
Vulnerability from csaf_redhat - Published: 2023-05-31 10:51 - Updated: 2026-06-02 17:38Summary
Red Hat Security Advisory: Migration Toolkit for Runtimes security update
Severity
Moderate
Notes
Topic: Migration Toolkit for Runtimes 1.1.0 release
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Migration Toolkit for Runtimes 1.1.0 ZIP artifacts
Security Fix(es):
* loader-utils: Regular expression denial of service (CVE-2022-37603)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Migration Toolkit for Runtimes 1.1.0 release\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Migration Toolkit for Runtimes 1.1.0 ZIP artifacts\n\nSecurity Fix(es):\n\n* loader-utils: Regular expression denial of service (CVE-2022-37603)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:3374",
"url": "https://access.redhat.com/errata/RHSA-2023:3374"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3374.json"
}
],
"title": "Red Hat Security Advisory: Migration Toolkit for Runtimes security update",
"tracking": {
"current_release_date": "2026-06-02T17:38:48+00:00",
"generator": {
"date": "2026-06-02T17:38:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:3374",
"initial_release_date": "2023-05-31T10:51:35+00:00",
"revision_history": [
{
"date": "2023-05-31T10:51:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-31T10:51:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-02T17:38:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product": {
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Runtimes"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-31T10:51:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3374"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-41881",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41881"
},
{
"category": "external",
"summary": "RHBZ#2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-31T10:51:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3374"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS"
}
]
}
RHSA-2023_0471
Vulnerability from csaf_redhat - Published: 2023-01-26 12:14 - Updated: 2024-12-16 02:13Summary
Red Hat Security Advisory: Migration Toolkit for Runtimes security update
Severity
Important
Notes
Topic: An update is now available for Migration Toolkit for Runtimes (v1.0.1).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details: Security Fix(es):
* jib-core: RCE via the isDockerInstalled (CVE-2022-25914)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
* loader-utils: Regular expression denial of service (CVE-2022-37603)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the jib-core package. This flaw allows an attacker to execute remote code into its target.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
35 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Migration Toolkit for Runtimes (v1.0.1).\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Security Fix(es):\n\n* jib-core: RCE via the isDockerInstalled (CVE-2022-25914)\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)\n* loader-utils: Regular expression denial of service (CVE-2022-37603)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0471",
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "2134344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134344"
},
{
"category": "external",
"summary": "2134609",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0471.json"
}
],
"title": "Red Hat Security Advisory: Migration Toolkit for Runtimes security update",
"tracking": {
"current_release_date": "2024-12-16T02:13:15+00:00",
"generator": {
"date": "2024-12-16T02:13:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:0471",
"initial_release_date": "2023-01-26T12:14:50+00:00",
"revision_history": [
{
"date": "2023-01-26T12:14:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-26T12:14:50+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-16T02:13:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product": {
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Runtimes"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-3517",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2022-06-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134609"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-minimatch: ReDoS via the braceExpand function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3517"
},
{
"category": "external",
"summary": "RHBZ#2134609",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3517",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3517"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517"
}
],
"release_date": "2022-02-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-minimatch: ReDoS via the braceExpand function"
},
{
"cve": "CVE-2022-25914",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134344"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the jib-core package. This flaw allows an attacker to execute remote code into its target.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jib-core: RCE via the isDockerInstalled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25914"
},
{
"category": "external",
"summary": "RHBZ#2134344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25914",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25914"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25914",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25914"
}
],
"release_date": "2022-09-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jib-core: RCE via the isDockerInstalled"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
}
]
}
RHSA-2023_0713
Vulnerability from csaf_redhat - Published: 2023-02-09 11:35 - Updated: 2024-12-16 02:04Summary
Red Hat Security Advisory: Red Hat Data Grid 8.4.1 security update
Severity
Important
Notes
Topic: An update for Red Hat Data Grid 8 is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.
Data Grid 8.4.1 replaces Data Grid 8.4.0 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.1 in the Release Notes[3].
Security Fix(es):
* mina-sshd: Java unsafe deserialization vulnerability [jdg-8] (CVE-2022-45047)
* file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop [jdg-8] (CVE-2022-36313)
* loader-utils: loader-utils:Regular expression denial of service [jdg-8] (CVE-2022-37603)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [jdg-8] (CVE-2022-41881)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [jdg-8] (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays [jdg-8] (CVE-2022-42004)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the file-type npm package. A malformed MKV file could lead the file type detector to a denial of Service. This issue allows an attacker to input a malicious file and make the server unresponsive.
5.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.4.1
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.4.1
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.4.1
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.4.1
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.4.1
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.4.1
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
36 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Data Grid 8 is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.4.1 replaces Data Grid 8.4.0 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.1 in the Release Notes[3].\n\nSecurity Fix(es):\n\n* mina-sshd: Java unsafe deserialization vulnerability [jdg-8] (CVE-2022-45047)\n\n* file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop [jdg-8] (CVE-2022-36313)\n\n* loader-utils: loader-utils:Regular expression denial of service [jdg-8] (CVE-2022-37603)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [jdg-8] (CVE-2022-41881)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [jdg-8] (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays [jdg-8] (CVE-2022-42004)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0713",
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches",
"url": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "2159682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159682"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0713.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Data Grid 8.4.1 security update",
"tracking": {
"current_release_date": "2024-12-16T02:04:20+00:00",
"generator": {
"date": "2024-12-16T02:04:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:0713",
"initial_release_date": "2023-02-09T11:35:44+00:00",
"revision_history": [
{
"date": "2023-02-09T11:35:44+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-02-09T11:35:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-16T02:04:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Data Grid 8.4.1",
"product": {
"name": "Red Hat Data Grid 8.4.1",
"product_id": "Red Hat Data Grid 8.4.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_grid:8"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Grid"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-36313",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2023-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2159682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the file-type npm package. A malformed MKV file could lead the file type detector to a denial of Service. This issue allows an attacker to input a malicious file and make the server unresponsive.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36313"
},
{
"category": "external",
"summary": "RHBZ#2159682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36313",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36313"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36313",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36313"
}
],
"release_date": "2022-07-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-41881",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41881"
},
{
"category": "external",
"summary": "RHBZ#2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat Data Grid 8.4.1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
}
]
}
RHSA-2023_0934
Vulnerability from csaf_redhat - Published: 2023-02-28 00:50 - Updated: 2024-12-17 23:01Summary
Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update
Severity
Important
Notes
Topic: Migration Toolkit for Applications 6.0.1 release
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details: Migration Toolkit for Applications 6.0.1 Images
Security Fix(es) from Bugzilla:
* loader-utils: prototype pollution in function parseQuery in parseQuery.js (CVE-2022-37601)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* gin: Unsanitized input in the default logger in github.com/gin-gonic/gin (CVE-2020-36567)
* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999)
* loader-utils:Regular expression denial of service (CVE-2022-37603)
* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Threats
Impact
Moderate
A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Moderate
A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Moderate
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Threats
Impact
Moderate
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Important
A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Moderate
References
80 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Migration Toolkit for Applications 6.0.1 release\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Migration Toolkit for Applications 6.0.1 Images\n\nSecurity Fix(es) from Bugzilla:\n\n* loader-utils: prototype pollution in function parseQuery in parseQuery.js (CVE-2022-37601)\n\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\n* gin: Unsanitized input in the default logger in github.com/gin-gonic/gin (CVE-2020-36567)\n\n* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n\n* express: \"qs\" prototype poisoning causes the hang of the node process (CVE-2022-24999)\n\n* loader-utils:Regular expression denial of service (CVE-2022-37603)\n\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0934",
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2134876",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134876"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "2150323",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150323"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2156683",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156683"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "MTA-103",
"url": "https://issues.redhat.com/browse/MTA-103"
},
{
"category": "external",
"summary": "MTA-106",
"url": "https://issues.redhat.com/browse/MTA-106"
},
{
"category": "external",
"summary": "MTA-122",
"url": "https://issues.redhat.com/browse/MTA-122"
},
{
"category": "external",
"summary": "MTA-123",
"url": "https://issues.redhat.com/browse/MTA-123"
},
{
"category": "external",
"summary": "MTA-127",
"url": "https://issues.redhat.com/browse/MTA-127"
},
{
"category": "external",
"summary": "MTA-131",
"url": "https://issues.redhat.com/browse/MTA-131"
},
{
"category": "external",
"summary": "MTA-36",
"url": "https://issues.redhat.com/browse/MTA-36"
},
{
"category": "external",
"summary": "MTA-44",
"url": "https://issues.redhat.com/browse/MTA-44"
},
{
"category": "external",
"summary": "MTA-49",
"url": "https://issues.redhat.com/browse/MTA-49"
},
{
"category": "external",
"summary": "MTA-59",
"url": "https://issues.redhat.com/browse/MTA-59"
},
{
"category": "external",
"summary": "MTA-65",
"url": "https://issues.redhat.com/browse/MTA-65"
},
{
"category": "external",
"summary": "MTA-72",
"url": "https://issues.redhat.com/browse/MTA-72"
},
{
"category": "external",
"summary": "MTA-73",
"url": "https://issues.redhat.com/browse/MTA-73"
},
{
"category": "external",
"summary": "MTA-74",
"url": "https://issues.redhat.com/browse/MTA-74"
},
{
"category": "external",
"summary": "MTA-76",
"url": "https://issues.redhat.com/browse/MTA-76"
},
{
"category": "external",
"summary": "MTA-77",
"url": "https://issues.redhat.com/browse/MTA-77"
},
{
"category": "external",
"summary": "MTA-80",
"url": "https://issues.redhat.com/browse/MTA-80"
},
{
"category": "external",
"summary": "MTA-82",
"url": "https://issues.redhat.com/browse/MTA-82"
},
{
"category": "external",
"summary": "MTA-85",
"url": "https://issues.redhat.com/browse/MTA-85"
},
{
"category": "external",
"summary": "MTA-88",
"url": "https://issues.redhat.com/browse/MTA-88"
},
{
"category": "external",
"summary": "MTA-92",
"url": "https://issues.redhat.com/browse/MTA-92"
},
{
"category": "external",
"summary": "MTA-96",
"url": "https://issues.redhat.com/browse/MTA-96"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0934.json"
}
],
"title": "Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update",
"tracking": {
"current_release_date": "2024-12-17T23:01:30+00:00",
"generator": {
"date": "2024-12-17T23:01:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:0934",
"initial_release_date": "2023-02-28T00:50:28+00:00",
"revision_history": [
{
"date": "2023-02-28T00:50:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-02-28T23:46:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T23:01:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "MTA 6.0 for RHEL 8",
"product": {
"name": "MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_applications:6.0::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Applications"
},
{
"branches": [
{
"category": "product_version",
"name": "mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"product": {
"name": "mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"product_id": "mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-admin-addon-rhel8\u0026tag=6.0.1-8"
}
}
},
{
"category": "product_version",
"name": "mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"product": {
"name": "mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"product_id": "mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-hub-rhel8\u0026tag=6.0.1-8"
}
}
},
{
"category": "product_version",
"name": "mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"product": {
"name": "mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"product_id": "mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-rhel8-operator\u0026tag=6.0.1-8"
}
}
},
{
"category": "product_version",
"name": "mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"product": {
"name": "mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"product_id": "mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-pathfinder-rhel8\u0026tag=6.0.1-6"
}
}
},
{
"category": "product_version",
"name": "mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"product": {
"name": "mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"product_id": "mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-ui-rhel8\u0026tag=6.0.1-10"
}
}
},
{
"category": "product_version",
"name": "mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64",
"product": {
"name": "mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64",
"product_id": "mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-windup-addon-rhel8\u0026tag=6.0.1-9"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 as a component of MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64"
},
"product_reference": "mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"relates_to_product_reference": "8Base-MTA-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 as a component of MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64"
},
"product_reference": "mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"relates_to_product_reference": "8Base-MTA-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 as a component of MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64"
},
"product_reference": "mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"relates_to_product_reference": "8Base-MTA-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64 as a component of MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64"
},
"product_reference": "mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"relates_to_product_reference": "8Base-MTA-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 as a component of MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
},
"product_reference": "mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"relates_to_product_reference": "8Base-MTA-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 as a component of MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
},
"product_reference": "mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64",
"relates_to_product_reference": "8Base-MTA-6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-36567",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2022-12-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156683"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "gin: Unsanitized input in the default logger in github.com/gin-gonic/gin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-36567"
},
{
"category": "external",
"summary": "RHBZ#2156683",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156683"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-36567",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36567"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36567",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36567"
},
{
"category": "external",
"summary": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d",
"url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d"
},
{
"category": "external",
"summary": "https://github.com/gin-gonic/gin/pull/2237",
"url": "https://github.com/gin-gonic/gin/pull/2237"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2020-0001",
"url": "https://pkg.go.dev/vuln/GO-2020-0001"
}
],
"release_date": "2022-12-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "gin: Unsanitized input in the default logger in github.com/gin-gonic/gin"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2022-24999",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150323"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "express: \"qs\" prototype poisoning causes the hang of the node process",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "- The qs and express Package is not used by the OpenShift Container Platform console directly and is only a third-party package dependency. Hence, it is marked as wontfix. \nAs a result, any services that depend on Openshift for their use of qs and express are marked won\u0027t fix. \n- In OpenShift Service Mesh, \u0027qs\u0027 is hoisted from storybook and node-sass, both are dev dependencies, and the vulnerability is not exposed to end users. Hence marked as wontfix.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24999"
},
{
"category": "external",
"summary": "RHBZ#2150323",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150323"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24999",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24999"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999"
},
{
"category": "external",
"summary": "https://github.com/expressjs/express/releases/tag/4.17.3",
"url": "https://github.com/expressjs/express/releases/tag/4.17.3"
},
{
"category": "external",
"summary": "https://github.com/ljharb/qs/pull/428",
"url": "https://github.com/ljharb/qs/pull/428"
},
{
"category": "external",
"summary": "https://github.com/n8tz/CVE-2022-24999",
"url": "https://github.com/n8tz/CVE-2022-24999"
}
],
"release_date": "2022-11-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "express: \"qs\" prototype poisoning causes the hang of the node process"
},
{
"cve": "CVE-2022-37601",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-10-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134876"
}
],
"notes": [
{
"category": "description",
"text": "A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: prototype pollution in function parseQuery in parseQuery.js",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Packages shipped in Red Hat Enterprise Linux use \u0027loader-utils\u0027 as a transitive dependency. Thus, reducing the impact to Moderate.\n\nIn Red Hat containerized products like OCP and ODF, the vulnerable loader-utils NodeJS module is bundled as a transitive dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37601"
},
{
"category": "external",
"summary": "RHBZ#2134876",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134876"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37601",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37601"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37601",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37601"
},
{
"category": "external",
"summary": "https://github.com/webpack/loader-utils/issues/212",
"url": "https://github.com/webpack/loader-utils/issues/212"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: prototype pollution in function parseQuery in parseQuery.js"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
},
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-rhel8-operator@sha256:7f145fc5723fd09324500de359146c2967a8b8f960dac4b862352faf2cb592c4_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
}
]
}
RHSA-2023_1043
Vulnerability from csaf_redhat - Published: 2023-03-01 22:02 - Updated: 2024-12-18 00:37Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7
Severity
Important
Notes
Topic: New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
5.6 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in jQuery. HTML containing \<option\> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
7.6 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
6.4 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.
4.2 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
6.8 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.
8.1 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.
5.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.
8.8 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
CWE-20 - Improper Input ValidationAffected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Keycloak's OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.
4.6 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
176 references
Acknowledgments
usd AG
Marcus Nilsson
SISOFT s.c.
Grzegorz Tworek
Trifork
Peter Flintholm
https://github.com/souravs17031999
Sourav Kumar
A1 Digital
Jordi Zayuelas i Muñoz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1043",
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1043.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7",
"tracking": {
"current_release_date": "2024-12-18T00:37:43+00:00",
"generator": {
"date": "2024-12-18T00:37:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1043",
"initial_release_date": "2023-03-01T22:02:40+00:00",
"revision_history": [
{
"date": "2023-03-01T22:02:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T22:02:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T00:37:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el7sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el7sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el7sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"relates_to_product_reference": "7Server-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"relates_to_product_reference": "7Server-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"relates_to_product_reference": "7Server-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023_1044
Vulnerability from csaf_redhat - Published: 2023-03-01 21:45 - Updated: 2024-12-18 00:38Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8
Severity
Important
Notes
Topic: New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
5.6 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in jQuery. HTML containing \<option\> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
7.6 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
6.4 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.
4.2 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
6.8 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.
8.1 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.
5.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.
8.8 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
CWE-20 - Improper Input ValidationAffected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Keycloak's OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.
4.6 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
176 references
Acknowledgments
usd AG
Marcus Nilsson
SISOFT s.c.
Grzegorz Tworek
Trifork
Peter Flintholm
https://github.com/souravs17031999
Sourav Kumar
A1 Digital
Jordi Zayuelas i Muñoz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1044",
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1044.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8",
"tracking": {
"current_release_date": "2024-12-18T00:38:15+00:00",
"generator": {
"date": "2024-12-18T00:38:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1044",
"initial_release_date": "2023-03-01T21:45:12+00:00",
"revision_history": [
{
"date": "2023-03-01T21:45:12+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:45:12+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T00:38:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 8",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el8sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el8sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el8sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"relates_to_product_reference": "8Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"relates_to_product_reference": "8Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"relates_to_product_reference": "8Base-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023_1045
Vulnerability from csaf_redhat - Published: 2023-03-01 21:45 - Updated: 2024-12-18 00:38Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9
Severity
Important
Notes
Topic: New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
5.6 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in jQuery. HTML containing \<option\> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
7.6 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
6.4 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.
4.2 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
6.8 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.
8.1 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.
5.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.
8.8 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
CWE-20 - Improper Input ValidationAffected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Keycloak's OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.
4.6 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
176 references
Acknowledgments
usd AG
Marcus Nilsson
SISOFT s.c.
Grzegorz Tworek
Trifork
Peter Flintholm
https://github.com/souravs17031999
Sourav Kumar
A1 Digital
Jordi Zayuelas i Muñoz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1045",
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1045.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9",
"tracking": {
"current_release_date": "2024-12-18T00:38:05+00:00",
"generator": {
"date": "2024-12-18T00:38:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1045",
"initial_release_date": "2023-03-01T21:45:17+00:00",
"revision_history": [
{
"date": "2023-03-01T21:45:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:45:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T00:38:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 9",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el9sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el9sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el9sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"relates_to_product_reference": "9Base-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023_1047
Vulnerability from csaf_redhat - Published: 2023-03-01 21:46 - Updated: 2024-12-18 00:38Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update
Severity
Important
Notes
Topic: A new image is available for Red Hat Single Sign-On 7.6.2, running on Red
Hat OpenShift Container Platform from the release of 3.11 up to the release
of 4.12.0.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On is an integrated sign-on solution, available as a
Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat
Single Sign-On for OpenShift image provides an authentication server that
you can use to log in centrally, log out, and register. You can also manage
user accounts for web applications, mobile applications, and RESTful web
services.
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* RH-SSO for OpenShift images: unsecured management interface exposed to adjacent network (CVE-2022-4039)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: XSS on izmpersonation under specific circumstances (CVE-2022-1438)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
This erratum releases a new image for Red Hat Single Sign-On 7.6.2 for use
within the Red Hat OpenShift Container Platform (from the release of 3.11
up to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS)
for on-premise or private cloud deployments, aligning with the standalone
product release.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
5.6 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
7.6 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
6.4 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.
4.2 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.
8.1 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
6.8 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.
8.0 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.
5.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.
8.8 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
CWE-20 - Improper Input ValidationAffected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Keycloak's OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.
4.6 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
175 references
Acknowledgments
usd AG
Marcus Nilsson
SISOFT s.c.
Grzegorz Tworek
Trifork
Peter Flintholm
Red Hat
Thibault Guittet
https://github.com/souravs17031999
Sourav Kumar
A1 Digital
Jordi Zayuelas i Muñoz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A new image is available for Red Hat Single Sign-On 7.6.2, running on Red\nHat OpenShift Container Platform from the release of 3.11 up to the release\nof 4.12.0.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a\nRed Hat JBoss Middleware for OpenShift containerized image. The Red Hat\nSingle Sign-On for OpenShift image provides an authentication server that\nyou can use to log in centrally, log out, and register. You can also manage\nuser accounts for web applications, mobile applications, and RESTful web\nservices.\n\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* RH-SSO for OpenShift images: unsecured management interface exposed to adjacent network (CVE-2022-4039)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: XSS on izmpersonation under specific circumstances (CVE-2022-1438)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.6.2 for use\nwithin the Red Hat OpenShift Container Platform (from the release of 3.11\nup to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS)\nfor on-premise or private cloud deployments, aligning with the standalone\nproduct release.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1047",
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2143416",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143416"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1047.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update",
"tracking": {
"current_release_date": "2024-12-18T00:38:34+00:00",
"generator": {
"date": "2024-12-18T00:38:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1047",
"initial_release_date": "2023-03-01T21:46:46+00:00",
"revision_history": [
{
"date": "2023-03-01T21:46:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:46:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T00:38:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Middleware Containers for OpenShift",
"product": {
"name": "Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhosemc:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"product": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"product_identification_helper": {
"purl": "pkg:oci/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21?arch=s390x\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"product": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60?arch=ppc64le\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"product": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le"
},
"product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64"
},
"product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
},
"product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"cve": "CVE-2022-3782",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-10-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2138971"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: path traversal via double URL encoding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3782"
},
{
"category": "external",
"summary": "RHBZ#2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3782",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3782"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: path traversal via double URL encoding"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"acknowledgments": [
{
"names": [
"Thibault Guittet"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-4039",
"cwe": {
"id": "CWE-276",
"name": "Incorrect Default Permissions"
},
"discovery_date": "2022-11-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143416"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rhsso-container-image: unsecured management interface exposed to adjecent network",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4039"
},
{
"category": "external",
"summary": "RHBZ#2143416",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143416"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4039",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4039"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4039",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4039"
}
],
"release_date": "2023-02-28T21:26:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rhsso-container-image: unsecured management interface exposed to adjecent network"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023_1049
Vulnerability from csaf_redhat - Published: 2023-03-01 21:58 - Updated: 2024-12-18 00:38Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update
Severity
Important
Notes
Topic: A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
* Keycloak Node.js Adapter: Open redirect vulnerability in checkSSO (CVE-2022-2237)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in jQuery. HTML containing \<option\> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
7.6 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
6.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.
6.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.
4.2 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
6.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.
5.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
CWE-20 - Improper Input ValidationAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Keycloak's OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.
4.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
185 references
Acknowledgments
usd AG
Marcus Nilsson
SISOFT s.c.
Grzegorz Tworek
NETAŞ PENTEST TEAM
Aytaç Kalıncı
Ilker Bulgurcu
Yasin Yılmaz
Trifork
Peter Flintholm
https://github.com/souravs17031999
Sourav Kumar
A1 Digital
Jordi Zayuelas i Muñoz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n* Keycloak Node.js Adapter: Open redirect vulnerability in checkSSO (CVE-2022-2237)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1049",
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2097007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1049.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update",
"tracking": {
"current_release_date": "2024-12-18T00:38:25+00:00",
"generator": {
"date": "2024-12-18T00:38:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1049",
"initial_release_date": "2023-03-01T21:58:17+00:00",
"revision_history": [
{
"date": "2023-03-01T21:58:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:58:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T00:38:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7",
"product": {
"name": "Red Hat Single Sign-On 7",
"product_id": "Red Hat Single Sign-On 7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"acknowledgments": [
{
"names": [
"Ayta\u00e7 Kal\u0131nc\u0131",
"Ilker Bulgurcu",
"Yasin Y\u0131lmaz"
],
"organization": "NETA\u015e PENTEST TEAM"
}
],
"cve": "CVE-2022-2237",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2022-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2097007"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Adapter: Open redirect vulnerability in checkSSO",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CodeReady Studio is no longer supported. Therefore, this flaw will not be addressed in CodeReady Studio. Please see https://developers.redhat.com/articles/2022/04/18/announcement-red-hat-codeready-studio-reaches-end-life for more information.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2237"
},
{
"category": "external",
"summary": "RHBZ#2097007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2237",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2237"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2237",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2237"
}
],
"release_date": "2023-03-01T13:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Adapter: Open redirect vulnerability in checkSSO"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"cve": "CVE-2022-3782",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-10-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2138971"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: path traversal via double URL encoding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3782"
},
{
"category": "external",
"summary": "RHBZ#2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3782",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3782"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: path traversal via double URL encoding"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"Red Hat Single Sign-On 7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat Single Sign-On 7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023_1428
Vulnerability from csaf_redhat - Published: 2023-03-23 02:16 - Updated: 2024-12-17 23:02Summary
Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.8 security and bug fix update
Severity
Important
Notes
Topic: The Migration Toolkit for Containers (MTC) 1.7.8 is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.
Security Fix(es):
* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
* gin: Unsanitized input in the default logger in github.com/gin-gonic/gin (CVE-2020-36567)
* express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999)
* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
* ua-parser-js: ReDoS vulnerability via the trim() function (CVE-2022-25927)
* loader-utils: Regular expression denial of service (CVE-2022-37603)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* jszip: directory traversal via a crafted ZIP archive (CVE-2022-48285)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* The velero image cannot be overridden in the operator (BZ#2143389)
* Adding a MigCluster from UI fails when the domain name has characters more than 6 (BZ#2152149)
* UI fails to render the 'migrations' page: "Cannot read properties of undefined (reading 'name')" (BZ#2163485)
* Creating DPA resource fails on OCP 4.6 clusters (BZ#2173742)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64 | — |
Vendor Fix
fix
|
Known not affected
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64 | — |
Vendor Fix
fix
|
Known not affected
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64 | — |
Threats
Impact
Moderate
A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64 | — |
Vendor Fix
fix
|
Known not affected
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64 | — |
Threats
Impact
Moderate
A flaw was found in ua-parser-js. This issue could allow a malicious user to trigger a regular expression denial of service (ReDoS) via the trim() function.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64 | — |
Vendor Fix
fix
|
Known not affected
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64 | — |
Threats
Impact
Moderate
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64 | — |
Vendor Fix
fix
|
Known not affected
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64 | — |
Threats
Impact
Moderate
A flaw was found in decode-uri-component. This issue occurs due to a specially crafted input, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64 | — |
Vendor Fix
fix
|
Known not affected
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64 | — |
Threats
Impact
Important
A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64 | — |
Vendor Fix
fix
|
Known not affected
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the JSZip package. Affected versions of JSZip could allow a remote attacker to traverse directories on the system caused by the failure to sanitize filenames when files are loaded with `loadAsync`, which makes the library vulnerable to a Zip Slip attack. By extracting files from a specially crafted archive, an attacker could gain access to parts of the file system outside of the target folder, overwrite the executable files, and execute arbitrary commands on the system.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64 | — |
Vendor Fix
fix
|
Known not affected
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64 | — | ||
| Unresolved product id: 8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64 | — |
Threats
Impact
Moderate
References
63 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "The Migration Toolkit for Containers (MTC) 1.7.8 is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.\n\nSecurity Fix(es):\n\n* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)\n\n* gin: Unsanitized input in the default logger in github.com/gin-gonic/gin (CVE-2020-36567)\n\n* express: \"qs\" prototype poisoning causes the hang of the node process (CVE-2022-24999)\n\n* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)\n\n* ua-parser-js: ReDoS vulnerability via the trim() function (CVE-2022-25927)\n\n* loader-utils: Regular expression denial of service (CVE-2022-37603)\n\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n\n* jszip: directory traversal via a crafted ZIP archive (CVE-2022-48285)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* The velero image cannot be overridden in the operator (BZ#2143389)\n\n* Adding a MigCluster from UI fails when the domain name has characters more than 6 (BZ#2152149)\n\n* UI fails to render the \u0027migrations\u0027 page: \"Cannot read properties of undefined (reading \u0027name\u0027)\" (BZ#2163485)\n\n* Creating DPA resource fails on OCP 4.6 clusters (BZ#2173742)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1428",
"url": "https://access.redhat.com/errata/RHSA-2023:1428"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2143389",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143389"
},
{
"category": "external",
"summary": "2150323",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150323"
},
{
"category": "external",
"summary": "2152149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2152149"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156683",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156683"
},
{
"category": "external",
"summary": "2163485",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163485"
},
{
"category": "external",
"summary": "2165020",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165020"
},
{
"category": "external",
"summary": "2165797",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165797"
},
{
"category": "external",
"summary": "2165824",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165824"
},
{
"category": "external",
"summary": "2170644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170644"
},
{
"category": "external",
"summary": "2173742",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2173742"
},
{
"category": "external",
"summary": "MIG-1298",
"url": "https://issues.redhat.com/browse/MIG-1298"
},
{
"category": "external",
"summary": "MIG-1315",
"url": "https://issues.redhat.com/browse/MIG-1315"
},
{
"category": "external",
"summary": "MIG-1318",
"url": "https://issues.redhat.com/browse/MIG-1318"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1428.json"
}
],
"title": "Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.8 security and bug fix update",
"tracking": {
"current_release_date": "2024-12-17T23:02:41+00:00",
"generator": {
"date": "2024-12-17T23:02:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1428",
"initial_release_date": "2023-03-23T02:16:09+00:00",
"revision_history": [
{
"date": "2023-03-23T02:16:09+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-23T02:16:09+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T23:02:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "8Base-RHMTC-1.7",
"product": {
"name": "8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhmt:1.7::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Migration Toolkit"
},
{
"branches": [
{
"category": "product_version",
"name": "rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"product": {
"name": "rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"product_id": "rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-controller-rhel8\u0026tag=v1.7.8-6"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"product": {
"name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"product_id": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8\u0026tag=v1.7.8-3"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"product": {
"name": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"product_id": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-legacy-rhel8-operator\u0026tag=v1.7.8-10"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"product": {
"name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"product_id": "rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8\u0026tag=v1.7.8-3"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"product": {
"name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"product_id": "rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8\u0026tag=v1.7.8-3"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"product": {
"name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"product_id": "rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8\u0026tag=v1.7.8-3"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"product": {
"name": "rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"product_id": "rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rhel8-operator\u0026tag=v1.7.8-10"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"product": {
"name": "rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"product_id": "rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-operator-bundle\u0026tag=v1.7.8-10"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"product": {
"name": "rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"product_id": "rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-registry-rhel8\u0026tag=v1.7.8-3"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"product": {
"name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"product_id": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8\u0026tag=v1.7.8-3"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"product": {
"name": "rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"product_id": "rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-ui-rhel8\u0026tag=v1.7.8-5"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"product": {
"name": "rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"product_id": "rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-rhel8\u0026tag=v1.7.8-4"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"product": {
"name": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"product_id": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-aws-rhel8\u0026tag=v1.7.8-3"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"product": {
"name": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"product_id": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8\u0026tag=v1.7.8-3"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"product": {
"name": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"product_id": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8\u0026tag=v1.7.8-3"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"product": {
"name": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"product_id": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-restic-restore-helper-rhel8\u0026tag=v1.7.8-4"
}
}
},
{
"category": "product_version",
"name": "rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64",
"product": {
"name": "rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64",
"product_id": "rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-velero-plugin-rhel8\u0026tag=v1.7.8-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64"
},
"product_reference": "rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64"
},
"product_reference": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64"
},
"product_reference": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64"
},
"product_reference": "rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64"
},
"product_reference": "rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64"
},
"product_reference": "rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64"
},
"product_reference": "rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64"
},
"product_reference": "rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64"
},
"product_reference": "rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64"
},
"product_reference": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
},
"product_reference": "rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64"
},
"product_reference": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64"
},
"product_reference": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64"
},
"product_reference": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64"
},
"product_reference": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64"
},
"product_reference": "rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64 as a component of 8Base-RHMTC-1.7",
"product_id": "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
},
"product_reference": "rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64",
"relates_to_product_reference": "8Base-RHMTC-1.7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-36567",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2022-12-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156683"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "gin: Unsanitized input in the default logger in github.com/gin-gonic/gin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64"
],
"known_not_affected": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-36567"
},
{
"category": "external",
"summary": "RHBZ#2156683",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156683"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-36567",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36567"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36567",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36567"
},
{
"category": "external",
"summary": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d",
"url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d"
},
{
"category": "external",
"summary": "https://github.com/gin-gonic/gin/pull/2237",
"url": "https://github.com/gin-gonic/gin/pull/2237"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2020-0001",
"url": "https://pkg.go.dev/vuln/GO-2020-0001"
}
],
"release_date": "2022-12-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-23T02:16:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1428"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "gin: Unsanitized input in the default logger in github.com/gin-gonic/gin"
},
{
"cve": "CVE-2022-24999",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150323"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "express: \"qs\" prototype poisoning causes the hang of the node process",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "- The qs and express Package is not used by the OpenShift Container Platform console directly and is only a third-party package dependency. Hence, it is marked as wontfix. \nAs a result, any services that depend on Openshift for their use of qs and express are marked won\u0027t fix. \n- In OpenShift Service Mesh, \u0027qs\u0027 is hoisted from storybook and node-sass, both are dev dependencies, and the vulnerability is not exposed to end users. Hence marked as wontfix.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"known_not_affected": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24999"
},
{
"category": "external",
"summary": "RHBZ#2150323",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150323"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24999",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24999"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999"
},
{
"category": "external",
"summary": "https://github.com/expressjs/express/releases/tag/4.17.3",
"url": "https://github.com/expressjs/express/releases/tag/4.17.3"
},
{
"category": "external",
"summary": "https://github.com/ljharb/qs/pull/428",
"url": "https://github.com/ljharb/qs/pull/428"
},
{
"category": "external",
"summary": "https://github.com/n8tz/CVE-2022-24999",
"url": "https://github.com/n8tz/CVE-2022-24999"
}
],
"release_date": "2022-11-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-23T02:16:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1428"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "express: \"qs\" prototype poisoning causes the hang of the node process"
},
{
"cve": "CVE-2022-25881",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2023-01-31T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2165824"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"known_not_affected": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25881"
},
{
"category": "external",
"summary": "RHBZ#2165824",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165824"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881"
}
],
"release_date": "2023-01-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-23T02:16:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1428"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability"
},
{
"cve": "CVE-2022-25927",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2023-01-27T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2165020"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ua-parser-js. This issue could allow a malicious user to trigger a regular expression denial of service (ReDoS) via the trim() function.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ua-parser-js: ReDoS vulnerability via the trim() function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"known_not_affected": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25927"
},
{
"category": "external",
"summary": "RHBZ#2165020",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165020"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25927",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25927"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25927",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25927"
}
],
"release_date": "2023-01-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-23T02:16:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1428"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ua-parser-js: ReDoS vulnerability via the trim() function"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"known_not_affected": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-23T02:16:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1428"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38900",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-02-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170644"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in decode-uri-component. This issue occurs due to a specially crafted input, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "decode-uri-component: improper input validation resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For OpenShift Container Platform (OCP), Advanced Clusters Management for Kubernetes (ACM) and Advanced Cluster Security (ACS), the NPM decode-uri-component package is only present in source repositories as a development dependency, it is not used in production. Therefore this vulnerability is rated Low for OCP and ACS.\n\nIn Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container bundles many nodejs packages as a build time dependencies, including the decode-uri-component package. \nThe vulnerable code is not used, hence the impact to OpenShift Logging by this vulnerability is Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"known_not_affected": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38900"
},
{
"category": "external",
"summary": "RHBZ#2170644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170644"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38900"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900"
},
{
"category": "external",
"summary": "https://github.com/SamVerschueren/decode-uri-component/issues/5",
"url": "https://github.com/SamVerschueren/decode-uri-component/issues/5"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq"
}
],
"release_date": "2022-11-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-23T02:16:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1428"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "decode-uri-component: improper input validation resulting in DoS"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"known_not_affected": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-23T02:16:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1428"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-48285",
"cwe": {
"id": "CWE-23",
"name": "Relative Path Traversal"
},
"discovery_date": "2023-01-31T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2165797"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JSZip package. Affected versions of JSZip could allow a remote attacker to traverse directories on the system caused by the failure to sanitize filenames when files are loaded with `loadAsync`, which makes the library vulnerable to a Zip Slip attack. By extracting files from a specially crafted archive, an attacker could gain access to parts of the file system outside of the target folder, overwrite the executable files, and execute arbitrary commands on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jszip: directory traversal via a crafted ZIP archive",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"known_not_affected": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-48285"
},
{
"category": "external",
"summary": "RHBZ#2165797",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165797"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-48285",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48285"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-48285",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48285"
},
{
"category": "external",
"summary": "https://exchange.xforce.ibmcloud.com/vulnerabilities/244499",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/244499"
},
{
"category": "external",
"summary": "https://github.com/Stuk/jszip/commit/2edab366119c9ee948357c02f1206c28566cdf15",
"url": "https://github.com/Stuk/jszip/commit/2edab366119c9ee948357c02f1206c28566cdf15"
},
{
"category": "external",
"summary": "https://github.com/Stuk/jszip/compare/v3.7.1...v3.8.0",
"url": "https://github.com/Stuk/jszip/compare/v3.7.1...v3.8.0"
},
{
"category": "external",
"summary": "https://www.mend.io/vulnerability-database/WS-2023-0004",
"url": "https://www.mend.io/vulnerability-database/WS-2023-0004"
}
],
"release_date": "2023-01-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-23T02:16:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1428"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:5bd15eedeaa345b05580d154819e813bde9feb60e99a5f5f03187c43205f7d0f_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:61f534bd9ce8b65cc9111336e4db1d57a0e7f0a614094ee25b4532324a8bfe71_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:9213e3ca5be9a82934b910c188626a45f9f1265d032251e3337083ecf41c7bde_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:85b1795ccbe0f13810605b579ebd25a8bc3a41f25a0c6b98df654eb894e559b8_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:79741d28197747559160fe140258eb3c5bf5b42351ad88b2f00642eba2180fee_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:10c90d8813b9045bde25cac6cc0cbd1de8095be3ea353c07ba77ca13ee561165_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:9e0d9d0d4acaf95c553d1c23ec62161554a24fd8b2a6d9d50bad8cb4d8da7229_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:24afdf147e24a631d8f4267d0594bf15db8a024bd1a86b49189c1d4c01acd5e5_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:fc0422805208ff6b659ff190837f4dd8ce589b6862d7abd2c5d649b47271f6f9_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:70676a347e14d1a4d2c5dc2259c73a7348401eb51c16c0dcd62b78326b2d9e1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:6da0fcb9118ff62926e16dcd0146c85ab0972cd7e304027032bf925b7bde4dd0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:8c196e46603987091fac589001c805708f9f8d243c00f828938bbcca132d52a0_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:2dca85c9f00468f63d741c2133457122ebb148c6580c055174d5e6b9daaa33e2_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:8341be8ea6d3f65544829158f007c15865165fb590e43f0928ad22bcedeed870_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:5837e38d784cf83e06b343dfbfc10f250cf399b6af810a8f584f7aadb5258a1b_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:b4102f9a94d6a539e695a446f59c9395287b53c10ccd4a2a274feec40c6e0368_amd64",
"8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:d6958eee44939ace90ddadc33f60a5cee1ce30ec97a65aeea4ec5788aaf08d94_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jszip: directory traversal via a crafted ZIP archive"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…