Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2023-2993
Vulnerability from csaf_certbund
Published
2023-11-21 23:00
Modified
2023-12-12 23:00
Summary
Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence and Atlassian Jira Software: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.
Bitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle.
Confluence ist eine kommerzielle Wiki-Software.
Jira ist eine Webanwendung zur Softwareentwicklung.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
- MacOS X
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.\r\nBitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle.\r\nConfluence ist eine kommerzielle Wiki-Software.\r\nJira ist eine Webanwendung zur Softwareentwicklung.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- MacOS X\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-2993 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2993.json" }, { "category": "self", "summary": "WID-SEC-2023-2993 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2993" }, { "category": "external", "summary": "Atlassian Security Bulletin vom 2023-11-21", "url": "https://confluence.atlassian.com/security/security-bulletin-november-21-2023-1318881573.html" }, { "category": "external", "summary": "Atlassian Security Bulletin December 12 2023 vom 2023-12-12", "url": "https://confluence.atlassian.com/security/security-bulletin-december-12-2023-1319249520.html" } ], "source_lang": "en-US", "title": "Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence and Atlassian Jira Software: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-12-12T23:00:00.000+00:00", "generator": { "date": "2024-02-15T17:52:18.317+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-2993", "initial_release_date": "2023-11-21T23:00:00.000+00:00", "revision_history": [ { "date": "2023-11-21T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-11-23T23:00:00.000+00:00", "number": "2", "summary": "Bewertung angepasst" }, { "date": "2023-12-12T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates aufgenommen" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Atlassian Bamboo \u003c 9.2.7", "product": { "name": "Atlassian Bamboo \u003c 9.2.7", "product_id": "1529586", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bamboo:9.2.7" } } }, { "category": "product_name", "name": "Atlassian Bamboo \u003c 9.2.7", "product": { "name": "Atlassian Bamboo \u003c 9.2.7", "product_id": "T031322", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bamboo:9.2.7" } } }, { "category": "product_name", "name": "Atlassian Bamboo \u003c 9.3.4", "product": { "name": "Atlassian Bamboo \u003c 9.3.4", "product_id": "T031323", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bamboo:9.3.4" } } }, { "category": "product_name", "name": "Atlassian Bamboo \u003c 9.3.5", "product": { "name": "Atlassian Bamboo \u003c 9.3.5", "product_id": "T031324", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bamboo:9.3.5" } } } ], "category": "product_name", "name": "Bamboo" }, { "branches": [ { "category": "product_name", "name": "Atlassian Bitbucket \u003c 7.21.18", "product": { "name": "Atlassian Bitbucket \u003c 7.21.18", "product_id": "T031325", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bitbucket:7.21.18" } } }, { "category": "product_name", "name": "Atlassian Bitbucket \u003c 8.9.7", "product": { "name": "Atlassian Bitbucket \u003c 8.9.7", "product_id": "T031614", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bitbucket:8.9.7" } } }, { "category": "product_name", "name": "Atlassian Bitbucket \u003c 8.11.6", "product": { "name": "Atlassian Bitbucket \u003c 8.11.6", "product_id": "T031615", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bitbucket:8.11.6" } } }, { "category": "product_name", "name": "Atlassian Bitbucket \u003c 8.12.4", "product": { "name": "Atlassian Bitbucket \u003c 8.12.4", "product_id": "T031616", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bitbucket:8.12.4" } } }, { "category": "product_name", "name": "Atlassian Bitbucket \u003c 8.13.3", "product": { "name": "Atlassian Bitbucket \u003c 8.13.3", "product_id": "T031617", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bitbucket:8.13.3" } } }, { "category": "product_name", "name": "Atlassian Bitbucket \u003c 8.14.2", "product": { "name": "Atlassian Bitbucket \u003c 8.14.2", "product_id": "T031618", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bitbucket:8.14.2" } } } ], "category": "product_name", "name": "Bitbucket" }, { "branches": [ { "category": "product_name", "name": "Atlassian Confluence \u003c 8.3.4", "product": { "name": "Atlassian Confluence \u003c 8.3.4", "product_id": "T030846", "product_identification_helper": { "cpe": "cpe:/a:atlassian:confluence:8.3.4" } } }, { "category": "product_name", "name": "Atlassian Confluence \u003c 8.6.1", "product": { "name": "Atlassian Confluence \u003c 8.6.1", "product_id": "T031326", "product_identification_helper": { "cpe": "cpe:/a:atlassian:confluence:8.6.1" } } }, { "category": "product_name", "name": "Atlassian Confluence \u003c 7.19.17", "product": { "name": "Atlassian Confluence \u003c 7.19.17", "product_id": "T031609", "product_identification_helper": { "cpe": "cpe:/a:atlassian:confluence:7.19.17" } } }, { "category": "product_name", "name": "Atlassian Confluence \u003c 8.4.5", "product": { "name": "Atlassian Confluence \u003c 8.4.5", "product_id": "T031610", "product_identification_helper": { "cpe": "cpe:/a:atlassian:confluence:8.4.5" } } }, { "category": "product_name", "name": "Atlassian Confluence \u003c 8.5.4", "product": { "name": "Atlassian Confluence \u003c 8.5.4", "product_id": "T031611", "product_identification_helper": { "cpe": "cpe:/a:atlassian:confluence:8.5.4" } } }, { "category": "product_name", "name": "Atlassian Confluence \u003c 8.6.2", "product": { "name": "Atlassian Confluence \u003c 8.6.2", "product_id": "T031612", "product_identification_helper": { "cpe": "cpe:/a:atlassian:confluence:8.6.2" } } }, { "category": "product_name", "name": "Atlassian Confluence \u003c 8.7.1", "product": { "name": "Atlassian Confluence \u003c 8.7.1", "product_id": "T031613", "product_identification_helper": { "cpe": "cpe:/a:atlassian:confluence:8.7.1" } } } ], "category": "product_name", "name": "Confluence" }, { "branches": [ { "category": "product_name", "name": "Atlassian Jira Software \u003c 9.11.3", "product": { "name": "Atlassian Jira Software \u003c 9.11.3", "product_id": "T031327", "product_identification_helper": { "cpe": "cpe:/a:atlassian:jira_software:9.11.3" } } }, { "category": "product_name", "name": "Atlassian Jira Software \u003c 9.4.13", "product": { "name": "Atlassian Jira Software \u003c 9.4.13", "product_id": "T031606", "product_identification_helper": { "cpe": "cpe:/a:atlassian:jira_software:9.4.13" } } }, { "category": "product_name", "name": "Atlassian Jira Software Service Management \u003c 4.20.28", "product": { "name": "Atlassian Jira Software Service Management \u003c 4.20.28", "product_id": "T031607", "product_identification_helper": { "cpe": "cpe:/a:atlassian:jira_software:service_management__4.20.28" } } }, { "category": "product_name", "name": "Atlassian Jira Software Service Management \u003c 5.4.12", "product": { "name": "Atlassian Jira Software Service Management \u003c 5.4.12", "product_id": "T031608", "product_identification_helper": { "cpe": "cpe:/a:atlassian:jira_software:service_management__5.4.12" } } } ], "category": "product_name", "name": "Jira Software" } ], "category": "vendor", "name": "Atlassian" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-42794", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2023-42794" }, { "cve": "CVE-2023-34396", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2023-34396" }, { "cve": "CVE-2023-2976", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2023-2976" }, { "cve": "CVE-2023-22521", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2023-22521" }, { "cve": "CVE-2023-22516", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2023-22516" }, { "cve": "CVE-2022-45143", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2022-45143" }, { "cve": "CVE-2022-42890", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2022-42890" }, { "cve": "CVE-2022-42252", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2022-42252" }, { "cve": "CVE-2022-42004", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2022-42004" }, { "cve": "CVE-2022-42003", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2022-42003" }, { "cve": "CVE-2022-41704", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2022-41704" }, { "cve": "CVE-2022-40146", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2022-40146" }, { "cve": "CVE-2022-28366", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2022-28366" }, { "cve": "CVE-2022-25647", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2022-25647" }, { "cve": "CVE-2021-46877", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2021-46877" }, { "cve": "CVE-2021-40690", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2021-40690" }, { "cve": "CVE-2021-37714", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2021-37714" }, { "cve": "CVE-2021-28165", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2021-28165" }, { "cve": "CVE-2020-36518", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2020-36518" }, { "cve": "CVE-2017-9735", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2017-9735" }, { "cve": "CVE-2017-7656", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence und Atlassian Jira Software. Diese Fehler bestehen unter anderem in verschiedenen Komponenten wie com.google.guava:guava oder jackson-databind. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren. F\u00fcr eine erfolgreiche Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder eine Interaktion des Nutzers notwendig." } ], "product_status": { "known_affected": [ "T031610", "T031612", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608" ] }, "release_date": "2023-11-21T23:00:00Z", "title": "CVE-2017-7656" } ] }
cve-2017-9735
Vulnerability from cvelistv5
Published
2017-06-16 21:00
Modified
2024-08-05 17:18
Severity ?
EPSS score ?
Summary
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T17:18:01.294Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "99104", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/99104" }, { "name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E" }, { "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" }, { "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" }, { "name": "[hadoop-common-dev] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559%40%3Ccommon-dev.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugs.debian.org/864631" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/eclipse/jetty.project/issues/1556" }, { "name": "[debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2017-06-16T00:00:00", "descriptions": [ { "lang": "en", "value": "Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-07-20T22:53:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "99104", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/99104" }, { "name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E" }, { "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" }, { "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" }, { "name": "[hadoop-common-dev] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559%40%3Ccommon-dev.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugs.debian.org/864631" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/eclipse/jetty.project/issues/1556" }, { "name": "[debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-9735", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "99104", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99104" }, { "name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "name": "[hadoop-common-dev] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559@%3Ccommon-dev.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a@%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "name": "https://bugs.debian.org/864631", "refsource": "MISC", "url": "https://bugs.debian.org/864631" }, { "name": "https://github.com/eclipse/jetty.project/issues/1556", "refsource": "MISC", "url": "https://github.com/eclipse/jetty.project/issues/1556" }, { "name": "[debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-9735", "datePublished": "2017-06-16T21:00:00", "dateReserved": "2017-06-16T00:00:00", "dateUpdated": "2024-08-05T17:18:01.294Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-37714
Vulnerability from cvelistv5
Published
2021-08-18 15:10
Modified
2024-08-04 01:23
Severity ?
EPSS score ?
Summary
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T01:23:01.524Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://jsoup.org/news/release-1.14.1" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://jsoup.org/news/release-1.14.2" }, { "name": "[james-notifications] 20210820 [GitHub] [james-project] chibenwa opened a new pull request #609: [UPGRADE] JSOUP 1.14.1 -\u003e 1.14.2 to address CVE-2021-37714", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E" }, { "name": "[james-notifications] 20210823 [GitHub] [james-project] chibenwa merged pull request #609: [UPGRADE] JSOUP 1.14.1 -\u003e 1.14.2 to address CVE-2021-37714", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E" }, { "name": "[james-notifications] 20210823 [james-project] branch master updated: [UPGRADE] JSOUP 1.14.1 -\u003e 1.14.2 to address CVE-2021-37714", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E" }, { "name": "[maven-issues] 20210830 [jira] [Created] (WAGON-612) Update jsoup to \u003e= 1.14.2 for fix security issue", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E" }, { "name": "[maven-issues] 20210901 [jira] [Created] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E" }, { "name": "[maven-issues] 20210901 [jira] [Updated] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E" }, { "name": "[maven-issues] 20210901 [jira] [Commented] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20220210-0022/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "jsoup", "vendor": "jhy", "versions": [ { "status": "affected", "version": "\u003c 1.14.2" } ] } ], "descriptions": [ { "lang": "en", "value": "jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-835", "description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-248", "description": "CWE-248: Uncaught Exception", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-25T16:31:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c" }, { "tags": [ "x_refsource_MISC" ], "url": "https://jsoup.org/news/release-1.14.1" }, { "tags": [ "x_refsource_MISC" ], "url": "https://jsoup.org/news/release-1.14.2" }, { "name": "[james-notifications] 20210820 [GitHub] [james-project] chibenwa opened a new pull request #609: [UPGRADE] JSOUP 1.14.1 -\u003e 1.14.2 to address CVE-2021-37714", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E" }, { "name": "[james-notifications] 20210823 [GitHub] [james-project] chibenwa merged pull request #609: [UPGRADE] JSOUP 1.14.1 -\u003e 1.14.2 to address CVE-2021-37714", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E" }, { "name": "[james-notifications] 20210823 [james-project] branch master updated: [UPGRADE] JSOUP 1.14.1 -\u003e 1.14.2 to address CVE-2021-37714", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E" }, { "name": "[maven-issues] 20210830 [jira] [Created] (WAGON-612) Update jsoup to \u003e= 1.14.2 for fix security issue", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E" }, { "name": "[maven-issues] 20210901 [jira] [Created] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E" }, { "name": "[maven-issues] 20210901 [jira] [Updated] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E" }, { "name": "[maven-issues] 20210901 [jira] [Commented] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20220210-0022/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "source": { "advisory": "GHSA-m72m-mhq2-9p6c", "discovery": "UNKNOWN" }, "title": "Crafted input may cause the jsoup HTML and XML parser to get stuck, timeout, or throw unchecked exceptions", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-37714", "STATE": "PUBLIC", "TITLE": "Crafted input may cause the jsoup HTML and XML parser to get stuck, timeout, or throw unchecked exceptions" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "jsoup", "version": { "version_data": [ { "version_value": "\u003c 1.14.2" } ] } } ] }, "vendor_name": "jhy" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)" } ] }, { "description": [ { "lang": "eng", "value": "CWE-248: Uncaught Exception" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c", "refsource": "CONFIRM", "url": "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c" }, { "name": "https://jsoup.org/news/release-1.14.1", "refsource": "MISC", "url": "https://jsoup.org/news/release-1.14.1" }, { "name": "https://jsoup.org/news/release-1.14.2", "refsource": "MISC", "url": "https://jsoup.org/news/release-1.14.2" }, { "name": "[james-notifications] 20210820 [GitHub] [james-project] chibenwa opened a new pull request #609: [UPGRADE] JSOUP 1.14.1 -\u003e 1.14.2 to address CVE-2021-37714", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E" }, { "name": "[james-notifications] 20210823 [GitHub] [james-project] chibenwa merged pull request #609: [UPGRADE] JSOUP 1.14.1 -\u003e 1.14.2 to address CVE-2021-37714", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E" }, { "name": "[james-notifications] 20210823 [james-project] branch master updated: [UPGRADE] JSOUP 1.14.1 -\u003e 1.14.2 to address CVE-2021-37714", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E" }, { "name": "[maven-issues] 20210830 [jira] [Created] (WAGON-612) Update jsoup to \u003e= 1.14.2 for fix security issue", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E" }, { "name": "[maven-issues] 20210901 [jira] [Created] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E" }, { "name": "[maven-issues] 20210901 [jira] [Updated] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E" }, { "name": "[maven-issues] 20210901 [jira] [Commented] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://security.netapp.com/advisory/ntap-20220210-0022/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220210-0022/" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ] }, "source": { "advisory": "GHSA-m72m-mhq2-9p6c", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-37714", "datePublished": "2021-08-18T15:10:11", "dateReserved": "2021-07-29T00:00:00", "dateUpdated": "2024-08-04T01:23:01.524Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-42004
Vulnerability from cvelistv5
Published
2022-10-02 00:00
Modified
2024-08-03 12:56
Severity ?
EPSS score ?
Summary
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:56:39.182Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/FasterXML/jackson-databind/issues/3582" }, { "tags": [ "x_transferred" ], "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88" }, { "tags": [ "x_transferred" ], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490" }, { "name": "GLSA-202210-21", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202210-21" }, { "name": "DSA-5283", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5283" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20221118-0008/" }, { "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-27T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/FasterXML/jackson-databind/issues/3582" }, { "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88" }, { "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490" }, { "name": "GLSA-202210-21", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202210-21" }, { "name": "DSA-5283", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5283" }, { "url": "https://security.netapp.com/advisory/ntap-20221118-0008/" }, { "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-42004", "datePublished": "2022-10-02T00:00:00", "dateReserved": "2022-10-02T00:00:00", "dateUpdated": "2024-08-03T12:56:39.182Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-45143
Vulnerability from cvelistv5
Published
2023-01-03 18:12
Modified
2024-08-03 14:09
Severity ?
EPSS score ?
Summary
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache Tomcat |
Version: 10.1.0-M1 ≤ 10.1.1 Version: 9.0.40 ≤ 9.0.68 Version: 8.5.83 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T14:09:56.475Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "url": "https://security.netapp.com/advisory/ntap-20230216-0009/" }, { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj" }, { "tags": [ "x_transferred" ], "url": "https://security.gentoo.org/glsa/202305-37" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2022-45143", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-01T14:55:21.394332Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-01T14:55:50.547Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "affected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "10.1.1", "status": "affected", "version": "10.1.0-M1", "versionType": "semver" }, { "lessThanOrEqual": "9.0.68", "status": "affected", "version": "9.0.40", "versionType": "semver" }, { "status": "affected", "version": "8.5.83" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output." } ], "value": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output." } ], "metrics": [ { "other": { "content": { "text": "low" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-06-27T12:57:14.452Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj" }, { "url": "https://security.gentoo.org/glsa/202305-37" } ], "source": { "discovery": "INTERNAL" }, "title": "Apache Tomcat: JsonErrorReportValve escaping", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-45143", "datePublished": "2023-01-03T18:12:28.351Z", "dateReserved": "2022-11-10T15:00:33.203Z", "dateUpdated": "2024-08-03T14:09:56.475Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-42252
Vulnerability from cvelistv5
Published
2022-11-01 00:00
Modified
2024-08-03 13:03
Severity ?
EPSS score ?
Summary
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache Tomcat |
Version: 10.1.0-M1 Version: 10.0.0-M1 Version: 9.0.0-M1 Version: 8.5.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T13:03:45.683Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq" }, { "tags": [ "x_transferred" ], "url": "https://security.gentoo.org/glsa/202305-37" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "10.1.0", "status": "affected", "version": "10.1.0-M1", "versionType": "maven" }, { "lessThanOrEqual": "10.0.26", "status": "affected", "version": "10.0.0-M1", "versionType": "maven" }, { "lessThanOrEqual": "9.0.67", "status": "affected", "version": "9.0.0-M1", "versionType": "maven" }, { "lessThanOrEqual": "8.5.82", "status": "affected", "version": "8.5.0", "versionType": "maven" } ] } ], "credits": [ { "lang": "en", "value": "Thanks to Sam Shahsavar who discovered this issue and reported it to the Apache Tomcat security team." } ], "descriptions": [ { "lang": "en", "value": "If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header." } ], "metrics": [ { "other": { "content": { "other": "low" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-12-20T13:11:31.015Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "url": "https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq" }, { "url": "https://security.gentoo.org/glsa/202305-37" } ], "source": { "discovery": "UNKNOWN" }, "title": "Apache Tomcat request smuggling via malformed content-length", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-42252", "datePublished": "2022-11-01T00:00:00", "dateReserved": "2022-10-03T00:00:00", "dateUpdated": "2024-08-03T13:03:45.683Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-42794
Vulnerability from cvelistv5
Published
2023-10-10 17:17
Modified
2024-08-02 19:30
Severity ?
EPSS score ?
Summary
Incomplete Cleanup vulnerability in Apache Tomcat.
The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased,
in progress refactoring that exposed a potential denial of service on
Windows if a web application opened a stream for an uploaded file but
failed to close the stream. The file would never be deleted from disk
creating the possibility of an eventual denial of service due to the
disk being full.
Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache Tomcat |
Version: 9.0.70 ≤ 9.0.80 Version: 8.5.85 ≤ 8.5.93 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T19:30:24.246Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/10/8" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "9.0.80", "status": "affected", "version": "9.0.70", "versionType": "semver" }, { "lessThanOrEqual": "8.5.93", "status": "affected", "version": "8.5.85", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Mohammad Khedmatgozar (cellbox)" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Incomplete Cleanup vulnerability in Apache Tomcat.\u003cbr\u003e\u003cbr\u003eThe internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, \nin progress refactoring that exposed a potential denial of service on \nWindows if a web application opened a stream for an uploaded file but \nfailed to close the stream. The file would never be deleted from disk \ncreating the possibility of an eventual denial of service due to the \ndisk being full.\n\u003cbr\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e" } ], "value": "Incomplete Cleanup vulnerability in Apache Tomcat.\n\nThe internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, \nin progress refactoring that exposed a potential denial of service on \nWindows if a web application opened a stream for an uploaded file but \nfailed to close the stream. The file would never be deleted from disk \ncreating the possibility of an eventual denial of service due to the \ndisk being full.\n\nUsers are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.\n\n" } ], "metrics": [ { "other": { "content": { "text": "low" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-459", "description": "CWE-459 Incomplete Cleanup", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-10T17:17:01.378Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82" }, { "url": "http://www.openwall.com/lists/oss-security/2023/10/10/8" } ], "source": { "discovery": "EXTERNAL" }, "title": "Apache Tomcat: FileUpload: DoS due to accumulation of temporary files on Windows", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2023-42794", "datePublished": "2023-10-10T17:17:01.378Z", "dateReserved": "2023-09-14T12:05:53.583Z", "dateUpdated": "2024-08-02T19:30:24.246Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-36518
Vulnerability from cvelistv5
Published
2022-03-11 00:00
Modified
2024-08-04 17:30
Severity ?
EPSS score ?
Summary
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T17:30:08.127Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/FasterXML/jackson-databind/issues/2816" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "[debian-lts-announce] 20220502 [SECURITY] [DLA 2990-1] jackson-databind security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20220506-0004/" }, { "name": "DSA-5283", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5283" }, { "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-27T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/FasterXML/jackson-databind/issues/2816" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "[debian-lts-announce] 20220502 [SECURITY] [DLA 2990-1] jackson-databind security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "url": "https://security.netapp.com/advisory/ntap-20220506-0004/" }, { "name": "DSA-5283", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5283" }, { "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-36518", "datePublished": "2022-03-11T00:00:00", "dateReserved": "2022-03-11T00:00:00", "dateUpdated": "2024-08-04T17:30:08.127Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-22516
Vulnerability from cvelistv5
Published
2023-11-21 18:00
Modified
2024-10-21 14:08
Severity ?
EPSS score ?
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.
JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)
Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was discovered by a private user and reported via our Bug Bounty program
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Atlassian | Bamboo Data Center |
Version: >= 8.1.0 Version: >= 8.1.1 Version: >= 8.1.10 Version: >= 8.1.11 Version: >= 8.1.12 Version: >= 8.1.2 Version: >= 8.1.3 Version: >= 8.1.4 Version: >= 8.1.5 Version: >= 8.1.6 Version: >= 8.1.7 Version: >= 8.1.9 Version: >= 8.2.0 Version: >= 8.2.1 Version: >= 8.2.2 Version: >= 8.2.3 Version: >= 8.2.4 Version: >= 8.2.5 Version: >= 8.2.6 Version: >= 8.2.7 Version: >= 8.2.8 Version: >= 8.2.9 Version: >= 9.0.0 Version: >= 9.0.1 Version: >= 9.0.2 Version: >= 9.0.3 Version: >= 9.1.0 Version: >= 9.1.1 Version: >= 9.1.2 Version: >= 9.1.3 Version: >= 9.2.1 Version: >= 9.2.3 Version: >= 9.2.4 Version: >= 9.2.5 Version: >= 9.2.6 Version: >= 9.3.0 Version: >= 9.3.1 Version: >= 9.3.2 Version: >= 9.3.3 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T10:13:48.652Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573" }, { "tags": [ "x_transferred" ], "url": "https://jira.atlassian.com/browse/BAM-25168" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-22516", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-10-15T17:15:23.698292Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-21T14:08:32.586Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "Bamboo Data Center", "vendor": "Atlassian", "versions": [ { "status": "unaffected", "version": "\u003c 8.1.0" }, { "status": "affected", "version": "\u003e= 8.1.0" }, { "status": "affected", "version": "\u003e= 8.1.1" }, { "status": "affected", "version": "\u003e= 8.1.10" }, { "status": "affected", "version": "\u003e= 8.1.11" }, { "status": "affected", "version": "\u003e= 8.1.12" }, { "status": "affected", "version": "\u003e= 8.1.2" }, { "status": "affected", "version": "\u003e= 8.1.3" }, { "status": "affected", "version": "\u003e= 8.1.4" }, { "status": "affected", "version": "\u003e= 8.1.5" }, { "status": "affected", "version": "\u003e= 8.1.6" }, { "status": "affected", "version": "\u003e= 8.1.7" }, { "status": "affected", "version": "\u003e= 8.1.9" }, { "status": "affected", "version": "\u003e= 8.2.0" }, { "status": "affected", "version": "\u003e= 8.2.1" }, { "status": "affected", "version": "\u003e= 8.2.2" }, { "status": "affected", "version": "\u003e= 8.2.3" }, { "status": "affected", "version": "\u003e= 8.2.4" }, { "status": "affected", "version": "\u003e= 8.2.5" }, { "status": "affected", "version": "\u003e= 8.2.6" }, { "status": "affected", "version": "\u003e= 8.2.7" }, { "status": "affected", "version": "\u003e= 8.2.8" }, { "status": "affected", "version": "\u003e= 8.2.9" }, { "status": "affected", "version": "\u003e= 9.0.0" }, { "status": "affected", "version": "\u003e= 9.0.1" }, { "status": "affected", "version": "\u003e= 9.0.2" }, { "status": "affected", "version": "\u003e= 9.0.3" }, { "status": "affected", "version": "\u003e= 9.1.0" }, { "status": "affected", "version": "\u003e= 9.1.1" }, { "status": "affected", "version": "\u003e= 9.1.2" }, { "status": "affected", "version": "\u003e= 9.1.3" }, { "status": "affected", "version": "\u003e= 9.2.1" }, { "status": "affected", "version": "\u003e= 9.2.3" }, { "status": "affected", "version": "\u003e= 9.2.4" }, { "status": "affected", "version": "\u003e= 9.2.5" }, { "status": "affected", "version": "\u003e= 9.2.6" }, { "status": "affected", "version": "\u003e= 9.3.0" }, { "status": "affected", "version": "\u003e= 9.3.1" }, { "status": "affected", "version": "\u003e= 9.3.2" }, { "status": "affected", "version": "\u003e= 9.3.3" }, { "status": "unaffected", "version": "\u003e= 9.2.7" }, { "status": "unaffected", "version": "\u003e= 9.3.4" } ] }, { "product": "Bamboo Server", "vendor": "Atlassian", "versions": [ { "status": "unaffected", "version": "\u003c 8.1.0" }, { "status": "affected", "version": "\u003e= 8.1.0" }, { "status": "affected", "version": "\u003e= 8.1.1" }, { "status": "affected", "version": "\u003e= 8.1.10" }, { "status": "affected", "version": "\u003e= 8.1.11" }, { "status": "affected", "version": "\u003e= 8.1.12" }, { "status": "affected", "version": "\u003e= 8.1.2" }, { "status": "affected", "version": "\u003e= 8.1.3" }, { "status": "affected", "version": "\u003e= 8.1.4" }, { "status": "affected", "version": "\u003e= 8.1.5" }, { "status": "affected", "version": "\u003e= 8.1.6" }, { "status": "affected", "version": "\u003e= 8.1.7" }, { "status": "affected", "version": "\u003e= 8.1.9" }, { "status": "affected", "version": "\u003e= 8.2.0" }, { "status": "affected", "version": "\u003e= 8.2.1" }, { "status": "affected", "version": "\u003e= 8.2.2" }, { "status": "affected", "version": "\u003e= 8.2.3" }, { "status": "affected", "version": "\u003e= 8.2.4" }, { "status": "affected", "version": "\u003e= 8.2.5" }, { "status": "affected", "version": "\u003e= 8.2.6" }, { "status": "affected", "version": "\u003e= 8.2.7" }, { "status": "affected", "version": "\u003e= 8.2.8" }, { "status": "affected", "version": "\u003e= 8.2.9" }, { "status": "affected", "version": "\u003e= 9.0.0" }, { "status": "affected", "version": "\u003e= 9.0.1" }, { "status": "affected", "version": "\u003e= 9.0.2" }, { "status": "affected", "version": "\u003e= 9.0.3" }, { "status": "affected", "version": "\u003e= 9.1.0" }, { "status": "affected", "version": "\u003e= 9.1.1" }, { "status": "affected", "version": "\u003e= 9.1.2" }, { "status": "affected", "version": "\u003e= 9.1.3" }, { "status": "affected", "version": "\u003e= 9.2.1" }, { "status": "affected", "version": "\u003e= 9.2.3" }, { "status": "affected", "version": "\u003e= 9.2.4" }, { "status": "affected", "version": "\u003e= 9.2.5" }, { "status": "affected", "version": "\u003e= 9.2.6" }, { "status": "affected", "version": "\u003e= 9.3.0" }, { "status": "affected", "version": "\u003e= 9.3.1" }, { "status": "affected", "version": "\u003e= 9.3.2" }, { "status": "affected", "version": "\u003e= 9.3.3" }, { "status": "unaffected", "version": "\u003e= 9.2.7" }, { "status": "unaffected", "version": "\u003e= 9.3.4" } ] } ], "credits": [ { "lang": "en", "value": "a private user" } ], "descriptions": [ { "lang": "en", "value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\r\n\r\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.\r\n JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)\r\n\r\n Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was discovered by a private user and reported via our Bug Bounty program" } ], "metrics": [ { "cvssV3_0": { "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0" } } ], "problemTypes": [ { "descriptions": [ { "description": "RCE (Remote Code Execution)", "lang": "en", "type": "RCE (Remote Code Execution)" } ] } ], "providerMetadata": { "dateUpdated": "2023-11-21T18:00:00.752Z", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian" }, "references": [ { "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573" }, { "url": "https://jira.atlassian.com/browse/BAM-25168" } ] } }, "cveMetadata": { "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2023-22516", "datePublished": "2023-11-21T18:00:00.752Z", "dateReserved": "2023-01-01T00:01:22.332Z", "dateUpdated": "2024-10-21T14:08:32.586Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-42003
Vulnerability from cvelistv5
Published
2022-10-02 00:00
Modified
2024-08-03 12:56
Severity ?
EPSS score ?
Summary
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:56:39.107Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/FasterXML/jackson-databind/issues/3590" }, { "tags": [ "x_transferred" ], "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33" }, { "tags": [ "x_transferred" ], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020" }, { "name": "GLSA-202210-21", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202210-21" }, { "name": "DSA-5283", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5283" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20221124-0004/" }, { "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-12-20T09:33:08.256001", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/FasterXML/jackson-databind/issues/3590" }, { "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33" }, { "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020" }, { "name": "GLSA-202210-21", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202210-21" }, { "name": "DSA-5283", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5283" }, { "url": "https://security.netapp.com/advisory/ntap-20221124-0004/" }, { "name": "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-42003", "datePublished": "2022-10-02T00:00:00", "dateReserved": "2022-10-02T00:00:00", "dateUpdated": "2024-08-03T12:56:39.107Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-22521
Vulnerability from cvelistv5
Published
2023-11-21 18:00
Modified
2024-08-02 10:13
Severity ?
EPSS score ?
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.6 of Crowd Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.0, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Crowd Data Center and Server 3.4: Upgrade to a release greater than or equal to 5.1.6
Crowd Data Center and Server 5.2: Upgrade to a release greater than or equal to 5.2.1
See the release notes ([https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html]). You can download the latest version of Crowd Data Center and Server from the download center ([https://www.atlassian.com/software/crowd/download-archive]).
This vulnerability was discovered by m1sn0w and reported via our Bug Bounty program
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Atlassian | Crowd Data Center |
Version: >= 3.4.6 Version: >= 5.2.0 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T10:13:48.932Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573" }, { "tags": [ "x_transferred" ], "url": "https://jira.atlassian.com/browse/CWD-6139" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Crowd Data Center", "vendor": "Atlassian", "versions": [ { "status": "unaffected", "version": "\u003c 3.4.6" }, { "status": "affected", "version": "\u003e= 3.4.6" }, { "status": "affected", "version": "\u003e= 5.2.0" }, { "status": "unaffected", "version": "\u003e= 5.1.6" }, { "status": "unaffected", "version": "\u003e= 5.2.1" } ] }, { "product": "Crowd Server", "vendor": "Atlassian", "versions": [ { "status": "unaffected", "version": "\u003c 3.4.6" }, { "status": "affected", "version": "\u003e= 3.4.6" }, { "status": "affected", "version": "\u003e= 5.2.0" }, { "status": "unaffected", "version": "\u003e= 5.1.6" }, { "status": "unaffected", "version": "\u003e= 5.2.1" } ] } ], "credits": [ { "lang": "en", "value": "m1sn0w" } ], "descriptions": [ { "lang": "en", "value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.6 of Crowd Data Center and Server.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.0, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\r\n\r\nAtlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Crowd Data Center and Server 3.4: Upgrade to a release greater than or equal to 5.1.6\r\n Crowd Data Center and Server 5.2: Upgrade to a release greater than or equal to 5.2.1\r\n\r\nSee the release notes ([https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html]). You can download the latest version of Crowd Data Center and Server from the download center ([https://www.atlassian.com/software/crowd/download-archive]).\r\n\r\nThis vulnerability was discovered by m1sn0w and reported via our Bug Bounty program" } ], "metrics": [ { "cvssV3_0": { "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0" } } ], "problemTypes": [ { "descriptions": [ { "description": "RCE (Remote Code Execution)", "lang": "en", "type": "RCE (Remote Code Execution)" } ] } ], "providerMetadata": { "dateUpdated": "2023-11-29T19:00:00.539Z", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian" }, "references": [ { "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573" }, { "url": "https://jira.atlassian.com/browse/CWD-6139" } ] } }, "cveMetadata": { "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2023-22521", "datePublished": "2023-11-21T18:00:00.751Z", "dateReserved": "2023-01-01T00:01:22.332Z", "dateUpdated": "2024-08-02T10:13:48.932Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-28366
Vulnerability from cvelistv5
Published
2022-04-21 22:41
Modified
2024-08-03 05:56
Severity ?
EPSS score ?
Summary
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
References
▼ | URL | Tags |
---|---|---|
https://github.com/nahsra/antisamy/releases/tag/v1.6.6 | x_refsource_MISC | |
https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit | x_refsource_MISC | |
https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/ | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:56:15.220Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/nahsra/antisamy/releases/tag/v1.6.6" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-09-26T14:35:07", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/nahsra/antisamy/releases/tag/v1.6.6" }, { "tags": [ "x_refsource_MISC" ], "url": "https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit" }, { "tags": [ "x_refsource_MISC" ], "url": "https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-28366", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/nahsra/antisamy/releases/tag/v1.6.6", "refsource": "MISC", "url": "https://github.com/nahsra/antisamy/releases/tag/v1.6.6" }, { "name": "https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit", "refsource": "MISC", "url": "https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit" }, { "name": "https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/", "refsource": "MISC", "url": "https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-28366", "datePublished": "2022-04-21T22:41:53", "dateReserved": "2022-04-03T00:00:00", "dateUpdated": "2024-08-03T05:56:15.220Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46877
Vulnerability from cvelistv5
Published
2023-03-18 00:00
Modified
2024-08-04 05:17
Severity ?
EPSS score ?
Summary
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.837Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw" }, { "tags": [ "x_transferred" ], "url": "https://github.com/FasterXML/jackson-databind/issues/3328" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-03-18T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw" }, { "url": "https://github.com/FasterXML/jackson-databind/issues/3328" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-46877", "datePublished": "2023-03-18T00:00:00", "dateReserved": "2023-03-18T00:00:00", "dateUpdated": "2024-08-04T05:17:42.837Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-7656
Vulnerability from cvelistv5
Published
2018-06-26 15:00
Modified
2024-08-05 16:12
Severity ?
EPSS score ?
Summary
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | The Eclipse Foundation | Eclipse Jetty |
Version: unspecified < Version: 9.3.0 < unspecified Version: unspecified < 9.3.24 Version: 9.4.0 < unspecified Version: unspecified < 9.4.11 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T16:12:27.819Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "DSA-4278", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2018/dsa-4278" }, { "name": "1041194", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1041194" }, { "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" }, { "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E" }, { "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "name": "[maven-issues] 20200730 [GitHub] [maven-dependency-plugin] slachiewicz commented on pull request #91: Bump jettyVersion from 9.2.28.v20190418 to 9.3.0.v20150612", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6%40%3Cissues.maven.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20181014-0001/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Jetty", "vendor": "The Eclipse Foundation", "versions": [ { "lessThanOrEqual": "9.2.0", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "9.3.0", "versionType": "custom" }, { "lessThan": "9.3.24", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "9.4.0", "versionType": "custom" }, { "lessThan": "9.4.11", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "datePublic": "2018-06-07T00:00:00", "descriptions": [ { "lang": "en", "value": "In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-07-20T22:53:07", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "name": "DSA-4278", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2018/dsa-4278" }, { "name": "1041194", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1041194" }, { "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" }, { "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E" }, { "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "name": "[maven-issues] 20200730 [GitHub] [maven-dependency-plugin] slachiewicz commented on pull request #91: Bump jettyVersion from 9.2.28.v20190418 to 9.3.0.v20150612", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6%40%3Cissues.maven.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20181014-0001/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2017-7656", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Jetty", "version": { "version_data": [ { "version_affected": "\u003c=", "version_value": "9.2.0" }, { "version_affected": "\u003e=", "version_value": "9.3.0" }, { "version_affected": "\u003c", "version_value": "9.3.24" }, { "version_affected": "\u003e=", "version_value": "9.4.0" }, { "version_affected": "\u003c", "version_value": "9.4.11" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "DSA-4278", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4278" }, { "name": "1041194", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041194" }, { "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "name": "[maven-issues] 20200730 [GitHub] [maven-dependency-plugin] slachiewicz commented on pull request #91: Bump jettyVersion from 9.2.28.v20190418 to 9.3.0.v20150612", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6@%3Cissues.maven.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667", "refsource": "CONFIRM", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667" }, { "name": "https://security.netapp.com/advisory/ntap-20181014-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20181014-0001/" }, { "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us", "refsource": "CONFIRM", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2017-7656", "datePublished": "2018-06-26T15:00:00", "dateReserved": "2017-04-11T00:00:00", "dateUpdated": "2024-08-05T16:12:27.819Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-44487
Vulnerability from cvelistv5
Published
2023-10-10 00:00
Modified
2024-08-19 07:48
Severity ?
EPSS score ?
Summary
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
References
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:ietf:http:2.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "http", "vendor": "ietf", "versions": [ { "status": "affected", "version": "2.0" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-44487", "options": [ { "Exploitation": "active" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-23T20:34:21.334116Z", "version": "2.0.3" }, "type": "ssvc" } }, { "other": { "content": { "dateAdded": "2023-10-10", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-44487" }, "type": "kev" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-07-23T20:35:03.253Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-19T07:48:04.546Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73" }, { "tags": [ "x_transferred" ], "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "tags": [ "x_transferred" ], "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "tags": [ "x_transferred" ], "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "tags": [ "x_transferred" ], "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "tags": [ "x_transferred" ], "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "tags": [ "x_transferred" ], "url": "https://news.ycombinator.com/item?id=37831062" }, { "tags": [ "x_transferred" ], "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "tags": [ "x_transferred" ], "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "tags": [ "x_transferred" ], "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "tags": [ "x_transferred" ], "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "tags": [ "x_transferred" ], "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "tags": [ "x_transferred" ], "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "tags": [ "x_transferred" ], "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "tags": [ "x_transferred" ], "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "tags": [ "x_transferred" ], "url": "https://github.com/alibaba/tengine/issues/1872" }, { "tags": [ "x_transferred" ], "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "tags": [ "x_transferred" ], "url": "https://news.ycombinator.com/item?id=37830987" }, { "tags": [ "x_transferred" ], "url": "https://news.ycombinator.com/item?id=37830998" }, { "tags": [ "x_transferred" ], "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "tags": [ "x_transferred" ], "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "tags": [ "x_transferred" ], "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "tags": [ "x_transferred" ], "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "tags": [ "x_transferred" ], "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244" }, { "tags": [ "x_transferred" ], "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "tags": [ "x_transferred" ], "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "tags": [ "x_transferred" ], "url": "https://my.f5.com/manage/s/article/K000137106" }, { "tags": [ "x_transferred" ], "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "tags": [ "x_transferred" ], "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "tags": [ "x_transferred" ], "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "tags": [ "x_transferred" ], "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "tags": [ "x_transferred" ], "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "tags": [ "x_transferred" ], "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "tags": [ "x_transferred" ], "url": "https://github.com/facebook/proxygen/pull/466" }, { "tags": [ "x_transferred" ], "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "tags": [ "x_transferred" ], "url": "https://github.com/micrictor/http2-rst-stream" }, { "tags": [ "x_transferred" ], "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "tags": [ "x_transferred" ], "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "tags": [ "x_transferred" ], "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "tags": [ "x_transferred" ], "url": "https://github.com/h2o/h2o/pull/3291" }, { "tags": [ "x_transferred" ], "url": "https://github.com/nodejs/node/pull/50121" }, { "tags": [ "x_transferred" ], "url": "https://github.com/dotnet/announcements/issues/277" }, { "tags": [ "x_transferred" ], "url": "https://github.com/golang/go/issues/63417" }, { "tags": [ "x_transferred" ], "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "tags": [ "x_transferred" ], "url": "https://github.com/apache/trafficserver/pull/10564" }, { "tags": [ "x_transferred" ], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "tags": [ "x_transferred" ], "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14" }, { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "tags": [ "x_transferred" ], "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "tags": [ "x_transferred" ], "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "tags": [ "x_transferred" ], "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "tags": [ "x_transferred" ], "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "tags": [ "x_transferred" ], "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "tags": [ "x_transferred" ], "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "tags": [ "x_transferred" ], "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "tags": [ "x_transferred" ], "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "tags": [ "x_transferred" ], "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "tags": [ "x_transferred" ], "url": "https://news.ycombinator.com/item?id=37837043" }, { "tags": [ "x_transferred" ], "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "tags": [ "x_transferred" ], "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "tags": [ "x_transferred" ], "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "tags": [ "x_transferred" ], "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113" }, { "name": "DSA-5522", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2023/dsa-5522" }, { "name": "DSA-5521", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2023/dsa-5521" }, { "tags": [ "x_transferred" ], "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "tags": [ "x_transferred" ], "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "tags": [ "x_transferred" ], "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "tags": [ "x_transferred" ], "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "tags": [ "x_transferred" ], "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "tags": [ "x_transferred" ], "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "tags": [ "x_transferred" ], "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "tags": [ "x_transferred" ], "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "tags": [ "x_transferred" ], "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "tags": [ "x_transferred" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "tags": [ "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "tags": [ "x_transferred" ], "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "tags": [ "x_transferred" ], "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "tags": [ "x_transferred" ], "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "tags": [ "x_transferred" ], "url": "https://github.com/apache/httpd-site/pull/10" }, { "tags": [ "x_transferred" ], "url": "https://github.com/projectcontour/contour/pull/5826" }, { "tags": [ "x_transferred" ], "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "tags": [ "x_transferred" ], "url": "https://github.com/line/armeria/pull/5232" }, { "tags": [ "x_transferred" ], "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "tags": [ "x_transferred" ], "url": "https://security.paloaltonetworks.com/CVE-2023-44487" }, { "tags": [ "x_transferred" ], "url": "https://github.com/akka/akka-http/issues/4323" }, { "tags": [ "x_transferred" ], "url": "https://github.com/openresty/openresty/issues/930" }, { "tags": [ "x_transferred" ], "url": "https://github.com/apache/apisix/issues/10320" }, { "tags": [ "x_transferred" ], "url": "https://github.com/Azure/AKS/issues/3947" }, { "tags": [ "x_transferred" ], "url": "https://github.com/Kong/kong/discussions/11741" }, { "tags": [ "x_transferred" ], "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487" }, { "tags": [ "x_transferred" ], "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/" }, { "tags": [ "x_transferred" ], "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5" }, { "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4" }, { "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9" }, { "tags": [ "x_transferred" ], "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/" }, { "tags": [ "x_transferred" ], "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html" }, { "name": "FEDORA-2023-ed2642fd58", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/" }, { "tags": [ "x_transferred" ], "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/" }, { "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20231016-0001/" }, { "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html" }, { "name": "[oss-security] 20231018 Vulnerability in Jenkins", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4" }, { "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8" }, { "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6" }, { "name": "FEDORA-2023-54fadada12", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/" }, { "name": "FEDORA-2023-5ff7bf1dd8", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/" }, { "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8" }, { "name": "FEDORA-2023-17efd3f2cd", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/" }, { "name": "FEDORA-2023-d5030c983c", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/" }, { "name": "FEDORA-2023-0259c3f26f", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/" }, { "name": "FEDORA-2023-2a9214af5f", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/" }, { "name": "FEDORA-2023-e9c04d81c1", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/" }, { "name": "FEDORA-2023-f66fc0f62a", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/" }, { "name": "FEDORA-2023-4d2fd884ea", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/" }, { "name": "FEDORA-2023-b2c50535cb", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/" }, { "name": "FEDORA-2023-fe53e13b5b", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/" }, { "name": "FEDORA-2023-4bf641255e", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/" }, { "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html" }, { "name": "DSA-5540", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2023/dsa-5540" }, { "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html" }, { "tags": [ "x_transferred" ], "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715" }, { "name": "FEDORA-2023-1caffb88af", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/" }, { "name": "FEDORA-2023-3f70b8d406", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/" }, { "name": "FEDORA-2023-7b52921cae", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/" }, { "name": "FEDORA-2023-7934802344", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/" }, { "name": "FEDORA-2023-dbe64661af", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/" }, { "name": "FEDORA-2023-822aab0a5a", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/" }, { "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html" }, { "name": "DSA-5549", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2023/dsa-5549" }, { "name": "FEDORA-2023-c0c6a91330", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/" }, { "name": "FEDORA-2023-492b7be466", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/" }, { "name": "DSA-5558", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2023/dsa-5558" }, { "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html" }, { "name": "GLSA-202311-09", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202311-09" }, { "name": "DSA-5570", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2023/dsa-5570" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240426-0007/" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240621-0007/" }, { "url": "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-06-21T19:08:34.967324", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73" }, { "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "url": "https://news.ycombinator.com/item?id=37831062" }, { "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "url": "https://github.com/alibaba/tengine/issues/1872" }, { "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "url": "https://news.ycombinator.com/item?id=37830987" }, { "url": "https://news.ycombinator.com/item?id=37830998" }, { "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244" }, { "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "url": "https://my.f5.com/manage/s/article/K000137106" }, { "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "url": "https://github.com/facebook/proxygen/pull/466" }, { "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "url": "https://github.com/micrictor/http2-rst-stream" }, { "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "url": "https://github.com/h2o/h2o/pull/3291" }, { "url": "https://github.com/nodejs/node/pull/50121" }, { "url": "https://github.com/dotnet/announcements/issues/277" }, { "url": "https://github.com/golang/go/issues/63417" }, { "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "url": "https://github.com/apache/trafficserver/pull/10564" }, { "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14" }, { "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "url": "https://news.ycombinator.com/item?id=37837043" }, { "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113" }, { "name": "DSA-5522", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2023/dsa-5522" }, { "name": "DSA-5521", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2023/dsa-5521" }, { "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "url": "https://github.com/apache/httpd-site/pull/10" }, { "url": "https://github.com/projectcontour/contour/pull/5826" }, { "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "url": "https://github.com/line/armeria/pull/5232" }, { "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "url": "https://security.paloaltonetworks.com/CVE-2023-44487" }, { "url": "https://github.com/akka/akka-http/issues/4323" }, { "url": "https://github.com/openresty/openresty/issues/930" }, { "url": "https://github.com/apache/apisix/issues/10320" }, { "url": "https://github.com/Azure/AKS/issues/3947" }, { "url": "https://github.com/Kong/kong/discussions/11741" }, { "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487" }, { "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/" }, { "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5" }, { "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4" }, { "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9" }, { "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/" }, { "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html" }, { "name": "FEDORA-2023-ed2642fd58", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/" }, { "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/" }, { "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html" }, { "url": "https://security.netapp.com/advisory/ntap-20231016-0001/" }, { "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html" }, { "name": "[oss-security] 20231018 Vulnerability in Jenkins", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4" }, { "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8" }, { "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6" }, { "name": "FEDORA-2023-54fadada12", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/" }, { "name": "FEDORA-2023-5ff7bf1dd8", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/" }, { "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8" }, { "name": "FEDORA-2023-17efd3f2cd", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/" }, { "name": "FEDORA-2023-d5030c983c", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/" }, { "name": "FEDORA-2023-0259c3f26f", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/" }, { "name": "FEDORA-2023-2a9214af5f", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/" }, { "name": "FEDORA-2023-e9c04d81c1", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/" }, { "name": "FEDORA-2023-f66fc0f62a", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/" }, { "name": "FEDORA-2023-4d2fd884ea", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/" }, { "name": "FEDORA-2023-b2c50535cb", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/" }, { "name": "FEDORA-2023-fe53e13b5b", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/" }, { "name": "FEDORA-2023-4bf641255e", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/" }, { "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html" }, { "name": "DSA-5540", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2023/dsa-5540" }, { "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html" }, { "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715" }, { "name": "FEDORA-2023-1caffb88af", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/" }, { "name": "FEDORA-2023-3f70b8d406", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/" }, { "name": "FEDORA-2023-7b52921cae", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/" }, { "name": "FEDORA-2023-7934802344", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/" }, { "name": "FEDORA-2023-dbe64661af", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/" }, { "name": "FEDORA-2023-822aab0a5a", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/" }, { "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html" }, { "name": "DSA-5549", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2023/dsa-5549" }, { "name": "FEDORA-2023-c0c6a91330", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/" }, { "name": "FEDORA-2023-492b7be466", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/" }, { "name": "DSA-5558", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2023/dsa-5558" }, { "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html" }, { "name": "GLSA-202311-09", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202311-09" }, { "name": "DSA-5570", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2023/dsa-5570" }, { "url": "https://security.netapp.com/advisory/ntap-20240426-0007/" }, { "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" }, { "url": "https://security.netapp.com/advisory/ntap-20240621-0007/" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2023-44487", "datePublished": "2023-10-10T00:00:00", "dateReserved": "2023-09-29T00:00:00", "dateUpdated": "2024-08-19T07:48:04.546Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-40146
Vulnerability from cvelistv5
Published
2022-09-22 00:00
Modified
2024-08-03 12:14
Severity ?
EPSS score ?
Summary
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache XML Graphics |
Version: Batik 1.14 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:14:39.979Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx" }, { "name": "[debian-lts-announce] 20231014 [SECURITY] [DLA 3619-1] batik security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html" }, { "name": "GLSA-202401-11", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202401-11" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache XML Graphics", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "Batik 1.14" } ] } ], "descriptions": [ { "lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-07T11:06:18.978965", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "url": "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx" }, { "name": "[debian-lts-announce] 20231014 [SECURITY] [DLA 3619-1] batik security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html" }, { "name": "GLSA-202401-11", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202401-11" } ], "source": { "discovery": "UNKNOWN" }, "title": "Jar url should be blocked by DefaultScriptSecurity", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-40146", "datePublished": "2022-09-22T00:00:00", "dateReserved": "2022-09-07T00:00:00", "dateUpdated": "2024-08-03T12:14:39.979Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28165
Vulnerability from cvelistv5
Published
2021-04-01 14:20
Modified
2024-08-03 21:40
Severity ?
EPSS score ?
Summary
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | The Eclipse Foundation | Eclipse Jetty |
Version: 7.2.2 < unspecified Version: unspecified < Version: 10.0.0.alpha0 < unspecified Version: unspecified < Version: 11.0.0.alpha0 < unspecified Version: unspecified < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:40:12.085Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b%40%3Cdev.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4%40%3Cissues.hbase.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78%40%3Ccommits.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97%40%3Ccommits.spark.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165 (#49)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1%40%3Ccommits.hbase.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825%40%3Cjira.kafka.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1%40%3Cjira.kafka.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E" }, { "name": "[oss-security] 20210420 Vulnerability in Jenkins", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/04/20/3" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7%40%3Creviews.spark.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E" }, { "name": "[kafka-jira] 20210715 [jira] [Commented] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a%40%3Cjira.kafka.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "DSA-4949", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Jetty", "vendor": "The Eclipse Foundation", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "7.2.2", "versionType": "custom" }, { "lessThanOrEqual": "9.4.38", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "10.0.0.alpha0", "versionType": "custom" }, { "lessThanOrEqual": "10.0.1", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "11.0.0.alpha0", "versionType": "custom" }, { "lessThanOrEqual": "11.0.1", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-551", "description": "CWE-551", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:54:20", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b%40%3Cdev.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4%40%3Cissues.hbase.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78%40%3Ccommits.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97%40%3Ccommits.spark.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165 (#49)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1%40%3Ccommits.hbase.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825%40%3Cjira.kafka.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1%40%3Cjira.kafka.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E" }, { "name": "[oss-security] 20210420 Vulnerability in Jenkins", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/04/20/3" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7%40%3Creviews.spark.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E" }, { "name": "[kafka-jira] 20210715 [jira] [Commented] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a%40%3Cjira.kafka.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "DSA-4949", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-28165", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Jetty", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "7.2.2" }, { "version_affected": "\u003c=", "version_value": "9.4.38" }, { "version_affected": "\u003e=", "version_value": "10.0.0.alpha0" }, { "version_affected": "\u003c=", "version_value": "10.0.1" }, { "version_affected": "\u003e=", "version_value": "11.0.0.alpha0" }, { "version_affected": "\u003c=", "version_value": "11.0.1" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame." } ] }, "impact": { "cvss": { "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-400" } ] }, { "description": [ { "lang": "eng", "value": "CWE-551" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w", "refsource": "CONFIRM", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b@%3Cdev.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4@%3Cissues.hbase.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a@%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81@%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da@%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913@%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424@%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78@%3Ccommits.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97@%3Ccommits.spark.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165 (#49)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1@%3Ccommits.hbase.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825@%3Cjira.kafka.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38@%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7@%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1@%3Cjira.kafka.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E" }, { "name": "[oss-security] 20210420 Vulnerability in Jenkins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/04/20/3" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7@%3Creviews.spark.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E" }, { "name": "[kafka-jira] 20210715 [jira] [Commented] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a@%3Cjira.kafka.apache.org%3E" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210611-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "DSA-4949", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-28165", "datePublished": "2021-04-01T14:20:14", "dateReserved": "2021-03-12T00:00:00", "dateUpdated": "2024-08-03T21:40:12.085Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-25647
Vulnerability from cvelistv5
Published
2022-05-01 15:30
Modified
2024-09-17 03:32
Severity ?
EPSS score ?
Summary
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
References
▼ | URL | Tags |
---|---|---|
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327 | x_refsource_MISC | |
https://github.com/google/gson/pull/1991 | x_refsource_MISC | |
https://github.com/google/gson/pull/1991/commits | x_refsource_MISC | |
https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html | mailing-list, x_refsource_MLIST | |
https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC | |
https://security.netapp.com/advisory/ntap-20220901-0009/ | x_refsource_CONFIRM | |
https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2022/dsa-5227 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | n/a | com.google.code.gson:gson |
Version: unspecified < 2.8.9 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:42:50.328Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/google/gson/pull/1991" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/google/gson/pull/1991/commits" }, { "name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20220901-0009/" }, { "name": "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html" }, { "name": "DSA-5227", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5227" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "com.google.code.gson:gson", "vendor": "n/a", "versions": [ { "lessThan": "2.8.9", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Marcono1234" } ], "datePublic": "2022-05-01T00:00:00", "descriptions": [ { "lang": "en", "value": "The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Deserialization of Untrusted Data", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-09-07T20:06:16", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/google/gson/pull/1991" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/google/gson/pull/1991/commits" }, { "name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20220901-0009/" }, { "name": "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html" }, { "name": "DSA-5227", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2022/dsa-5227" } ], "title": "Deserialization of Untrusted Data", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-05-01T15:25:25.581039Z", "ID": "CVE-2022-25647", "STATE": "PUBLIC", "TITLE": "Deserialization of Untrusted Data" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "com.google.code.gson:gson", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "2.8.9" } ] } } ] }, "vendor_name": "n/a" } ] } }, "credit": [ { "lang": "eng", "value": "Marcono1234" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Deserialization of Untrusted Data" } ] } ] }, "references": { "reference_data": [ { "name": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327" }, { "name": "https://github.com/google/gson/pull/1991", "refsource": "MISC", "url": "https://github.com/google/gson/pull/1991" }, { "name": "https://github.com/google/gson/pull/1991/commits", "refsource": "MISC", "url": "https://github.com/google/gson/pull/1991/commits" }, { "name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "https://security.netapp.com/advisory/ntap-20220901-0009/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220901-0009/" }, { "name": "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html" }, { "name": "DSA-5227", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5227" } ] } } } }, "cveMetadata": { "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2022-25647", "datePublished": "2022-05-01T15:30:29.223346Z", "dateReserved": "2022-02-24T00:00:00", "dateUpdated": "2024-09-17T03:32:46.390Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-41704
Vulnerability from cvelistv5
Published
2022-10-25 00:00
Modified
2024-08-03 12:49
Severity ?
EPSS score ?
Summary
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache XML Graphics |
Version: Batik < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:49:44.004Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf" }, { "name": "[oss-security] 20221025 [CVE-2022-41704] Apache Batik information disclosure vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/10/25/2" }, { "name": "[debian-lts-announce] 20221029 [SECURITY] [DLA 3169-1] batik security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html" }, { "name": "DSA-5264", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5264" }, { "name": "GLSA-202401-11", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202401-11" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache XML Graphics", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.15", "status": "affected", "version": "Batik", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "This issue was independently reported by 4ra1n of Chaitin Tech and pwnull" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16." } ], "problemTypes": [ { "descriptions": [ { "description": "A jar file can be loaded from svg script element", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-07T11:06:25.134503", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "url": "https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf" }, { "name": "[oss-security] 20221025 [CVE-2022-41704] Apache Batik information disclosure vulnerability", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/10/25/2" }, { "name": "[debian-lts-announce] 20221029 [SECURITY] [DLA 3169-1] batik security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html" }, { "name": "DSA-5264", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5264" }, { "name": "GLSA-202401-11", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202401-11" } ], "source": { "discovery": "UNKNOWN" }, "title": "Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-41704", "datePublished": "2022-10-25T00:00:00", "dateReserved": "2022-09-28T00:00:00", "dateUpdated": "2024-08-03T12:49:44.004Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-34396
Vulnerability from cvelistv5
Published
2023-06-14 07:50
Modified
2024-10-09 14:05
Severity ?
EPSS score ?
Summary
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache Struts |
Version: 0 ≤ 2.5.30 Version: 0 ≤ 6.1.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T16:10:06.825Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://cwiki.apache.org/confluence/display/WW/S2-064" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/06/14/3" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20230706-0005/" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-34396", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-09T14:04:35.407590Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-09T14:05:03.232Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "affected", "product": "Apache Struts", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "2.5.30", "status": "affected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.2", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Matthew McClain" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.\u003cp\u003eThis issue affects Apache Struts: through 2.5.30, through 6.1.2.\u003c/p\u003e\u003cp\u003eUpgrade to Struts 2.5.31 or 6.1.2.1 or greater\u003cbr\u003e\u003c/p\u003e" } ], "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.\n\nUpgrade to Struts 2.5.31 or 6.1.2.1 or greater\n\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-06-14T07:50:59.730Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://cwiki.apache.org/confluence/display/WW/S2-064" }, { "url": "http://www.openwall.com/lists/oss-security/2023/06/14/3" }, { "url": "https://security.netapp.com/advisory/ntap-20230706-0005/" } ], "source": { "advisory": "S2-064", "discovery": "EXTERNAL" }, "title": "Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2023-34396", "datePublished": "2023-06-14T07:50:59.730Z", "dateReserved": "2023-06-04T07:33:59.947Z", "dateUpdated": "2024-10-09T14:05:03.232Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-2976
Vulnerability from cvelistv5
Published
2023-06-14 17:36
Modified
2024-08-02 06:41
Severity ?
EPSS score ?
Summary
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T06:41:03.778Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/google/guava/issues/2575" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20230818-0008/" }, { "tags": [ "x_transferred" ], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Guava", "vendor": "Google", "versions": [ { "lessThan": "32.0.0", "status": "affected", "version": "1.0", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eUse of Java\u0027s default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\u003c/p\u003e\u003cp\u003eEven though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\u003c/p\u003e" } ], "value": "Use of Java\u0027s default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\n\n" } ], "impacts": [ { "capecId": "CAPEC-212", "descriptions": [ { "lang": "en", "value": "CAPEC-212 Functionality Misuse" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "description": "Creation of Temporary File With Insecure Permissions", "lang": "en" } ] } ], "providerMetadata": { "dateUpdated": "2023-06-14T17:36:40.640Z", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google" }, "references": [ { "url": "https://github.com/google/guava/issues/2575" }, { "url": "https://security.netapp.com/advisory/ntap-20230818-0008/" }, { "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html" } ], "source": { "discovery": "EXTERNAL" }, "title": "Use of temporary directory for file creation in `FileBackedOutputStream` in Guava", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2023-2976", "datePublished": "2023-06-14T17:36:40.640Z", "dateReserved": "2023-05-30T13:15:41.560Z", "dateUpdated": "2024-08-02T06:41:03.778Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-42890
Vulnerability from cvelistv5
Published
2022-10-25 00:00
Modified
2024-08-03 13:19
Severity ?
EPSS score ?
Summary
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache XML Graphics |
Version: Batik < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T13:19:05.216Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly" }, { "name": "[oss-security] 20221025 [CVE-2022-42890] Apache Batik information disclosure vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/10/25/3" }, { "name": "[debian-lts-announce] 20221029 [SECURITY] [DLA 3169-1] batik security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html" }, { "name": "DSA-5264", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5264" }, { "name": "GLSA-202401-11", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202401-11" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache XML Graphics", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "1.15", "status": "affected", "version": "Batik", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "This issue was independently reported by Y4tacker and 4ra1n of Chaitin Tech" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16." } ], "problemTypes": [ { "descriptions": [ { "description": "Remote code execution via batik scripting", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-07T11:06:20.509832", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "url": "https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly" }, { "name": "[oss-security] 20221025 [CVE-2022-42890] Apache Batik information disclosure vulnerability", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/10/25/3" }, { "name": "[debian-lts-announce] 20221029 [SECURITY] [DLA 3169-1] batik security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html" }, { "name": "DSA-5264", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5264" }, { "name": "GLSA-202401-11", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202401-11" } ], "source": { "discovery": "UNKNOWN" }, "title": "Apache Batik prior to 1.16 allows RCE via scripting", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-42890", "datePublished": "2022-10-25T00:00:00", "dateReserved": "2022-10-12T00:00:00", "dateUpdated": "2024-08-03T13:19:05.216Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-40690
Vulnerability from cvelistv5
Published
2021-09-19 00:00
Modified
2024-08-04 02:51
Severity ?
EPSS score ?
Summary
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache Santuario |
Version: XML Security for Java < 2.2.3,2.1.7 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T02:51:06.487Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E" }, { "name": "[tomee-commits] 20210922 [tomee] 02/02: Update xmlsec to 2.2.3 to mitigate CVE-2021-40690", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Resolved] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Created] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Assigned] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[poi-user] 20210923 Re: CVE-2021-40690 on xmlsec jar", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8%40%3Cuser.poi.apache.org%3E" }, { "name": "[debian-lts-announce] 20210927 [SECURITY] [DLA 2767-1] libxml-security-java security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html" }, { "name": "[cxf-issues] 20211027 [jira] [Created] (CXF-8613) High Security issues reported with Apache Santuario library bundled in CXF 3.4.4", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59%40%3Cissues.cxf.apache.org%3E" }, { "name": "[tomee-commits] 20211028 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c%40%3Ccommits.tomee.apache.org%3E" }, { "name": "DSA-5010", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-5010" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20230818-0002/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Santuario", "vendor": "Apache Software Foundation", "versions": [ { "lessThan": "2.2.3,2.1.7", "status": "affected", "version": "XML Security for Java", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "An Trinh, Calif." } ], "descriptions": [ { "lang": "en", "value": "All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the \"secureValidation\" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-08-18T13:06:19.359156", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "url": "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E" }, { "name": "[tomee-commits] 20210922 [tomee] 02/02: Update xmlsec to 2.2.3 to mitigate CVE-2021-40690", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Resolved] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Created] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Assigned] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[poi-user] 20210923 Re: CVE-2021-40690 on xmlsec jar", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8%40%3Cuser.poi.apache.org%3E" }, { "name": "[debian-lts-announce] 20210927 [SECURITY] [DLA 2767-1] libxml-security-java security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html" }, { "name": "[cxf-issues] 20211027 [jira] [Created] (CXF-8613) High Security issues reported with Apache Santuario library bundled in CXF 3.4.4", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59%40%3Cissues.cxf.apache.org%3E" }, { "name": "[tomee-commits] 20211028 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c%40%3Ccommits.tomee.apache.org%3E" }, { "name": "DSA-5010", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2021/dsa-5010" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "url": "https://security.netapp.com/advisory/ntap-20230818-0002/" } ], "source": { "discovery": "UNKNOWN" }, "title": "Bypass of the secureValidation property", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-40690", "datePublished": "2021-09-19T00:00:00", "dateReserved": "2021-09-08T00:00:00", "dateUpdated": "2024-08-04T02:51:06.487Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.