Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2013-3827 (GCVE-0-2013-3827)
Vulnerability from cvelistv5 – Published: 2013-10-16 15:00 – Updated: 2024-08-06 16:22
VLAI?
EPSS
Summary
Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:22:01.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "63052",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/63052"
},
{
"name": "RHSA-2014:0029",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
},
{
"name": "VU#526012",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/526012"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"
},
{
"name": "1029190",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1029190"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-10-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-29T18:57:01",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "63052",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/63052"
},
{
"name": "RHSA-2014:0029",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
},
{
"name": "VU#526012",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/526012"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"
},
{
"name": "1029190",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1029190"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2013-3827",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "63052",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/63052"
},
{
"name": "RHSA-2014:0029",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
},
{
"name": "VU#526012",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/526012"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"
},
{
"name": "1029190",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1029190"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2013-3827",
"datePublished": "2013-10-16T15:00:00",
"dateReserved": "2013-06-03T00:00:00",
"dateUpdated": "2024-08-06T16:22:01.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware:2.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"65528D4C-7391-403D-9E26-F97CE8CD18D2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware:3.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D6D8ECF3-446C-4698-8A0D-77983E5C8C73\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware:3.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"41E6A1C1-BDF6-4C1C-A089-E6537E3D576C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware:10.3.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"60E0074D-084B-486B-AE30-C6B91F5AF16D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware:11.1.2.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"20C3A3CA-4F97-4D4C-AA1F-D674FEFA0CB0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware:11.1.2.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"19BA27FF-CE57-4785-9321-E11287A5927B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware:12.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B5DF787A-1E24-408B-8956-16A2A6B2015C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware:12.1.2.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D4E67774-F4FB-4EA3-A527-92EF41F84248\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad no especificada en el componente de Oracle GlassFish Server en Oracle Fusion Middleware 2.1.1, 3.0.1 y 3.1.2, el componente de Oracle JDeveloper de Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0 y 12.1.2.0. 0, y el componente de Oracle WebLogic Server en Oracle Fusion Middleware 10.3.6.0 y 12.1.1 que permite a atacantes remotos afectar la confidencialidad a trav\\u00e9s de vectores desconocidos relacionados con Java Server Faces o el Web Container.\"}]",
"id": "CVE-2013-3827",
"lastModified": "2024-11-21T01:54:22.470",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2013-10-16T15:55:33.820",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0029.html\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"http://www.kb.cert.org/vuls/id/526012\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"US Government Resource\"]}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/63052\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"http://www.securitytracker.com/id/1029190\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0029.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.kb.cert.org/vuls/id/526012\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"US Government Resource\"]}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/63052\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1029190\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "secalert_us@oracle.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2013-3827\",\"sourceIdentifier\":\"secalert_us@oracle.com\",\"published\":\"2013-10-16T15:55:33.820\",\"lastModified\":\"2025-04-11T00:51:21.963\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad no especificada en el componente de Oracle GlassFish Server en Oracle Fusion Middleware 2.1.1, 3.0.1 y 3.1.2, el componente de Oracle JDeveloper de Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0 y 12.1.2.0. 0, y el componente de Oracle WebLogic Server en Oracle Fusion Middleware 10.3.6.0 y 12.1.1 que permite a atacantes remotos afectar la confidencialidad a trav\u00e9s de vectores desconocidos relacionados con Java Server Faces o el Web Container.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware:2.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"65528D4C-7391-403D-9E26-F97CE8CD18D2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware:3.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D6D8ECF3-446C-4698-8A0D-77983E5C8C73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware:3.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"41E6A1C1-BDF6-4C1C-A089-E6537E3D576C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware:10.3.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60E0074D-084B-486B-AE30-C6B91F5AF16D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware:11.1.2.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"20C3A3CA-4F97-4D4C-AA1F-D674FEFA0CB0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware:11.1.2.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"19BA27FF-CE57-4785-9321-E11287A5927B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware:12.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5DF787A-1E24-408B-8956-16A2A6B2015C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware:12.1.2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D4E67774-F4FB-4EA3-A527-92EF41F84248\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0029.html\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"http://www.kb.cert.org/vuls/id/526012\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/63052\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"http://www.securitytracker.com/id/1029190\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.kb.cert.org/vuls/id/526012\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/63052\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1029190\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
CERTA-2013-AVI-575
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été corrigées dans Oracle Fusion Middleware. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | N/A | Oracle WebLogic Server versions 12.1.1.0 et antérieures | ||
| Oracle | N/A | Oracle Security Service versions 11.1.1.6 et antérieures | ||
| Oracle | N/A | Oracle Security Service versions 11.1.2.1 et antérieures | ||
| Oracle | N/A | Oracle Outside In Technology versions 8.4.0 et antérieures | ||
| Oracle | N/A | Oracle Outside In Technology versions 8.4.1 et antérieures | ||
| Oracle | N/A | Oracle Identity Analytics versions 11.1.1.5 et antérieures | ||
| Oracle | N/A | Oracle Identity Manager versions 11.1.2.0.0 et antérieures | ||
| Oracle | N/A | Oracle JDeveloper versions 12.1.2.0.0 et antérieures | ||
| Oracle | N/A | Oracle WebCenter Content versions 10.1.1.7.0 et antérieures | ||
| Oracle | N/A | Oracle Security Service versions 11.1.1.7 et antérieures | ||
| Oracle | N/A | Oracle GlassFish Server versions 3.0.1 et antérieures | ||
| Oracle | N/A | Oracle GlassFish Server versions 3.1.2 et antérieures | ||
| Oracle | N/A | Oracle Identity Manager versions 11.1.2.1.0 et antérieures | ||
| Oracle | N/A | Oracle Web Cache versions 11.1.1.6 et antérieures | ||
| Oracle | N/A | Oracle Web Services versions 10.1.3.5.0 et antérieures | ||
| Oracle | N/A | Oracle Access Manager versions 11.1.2.0.0 et antérieures | ||
| Oracle | N/A | Oracle WebCenter Content versions 10.1.1.8.0 et antérieures | ||
| Oracle | N/A | Oracle Web Cache versions 11.1.1.7 et antérieures | ||
| Oracle | N/A | Oracle WebLogic Server versions 10.3.6.0 et antérieures | ||
| Oracle | N/A | Oracle Portal versions 11.1.1.6.0 et antérieures | ||
| Oracle | N/A | Oracle Access Manager versions 11.1.1.5.0 et antérieures | ||
| Oracle | N/A | Oracle JDeveloper versions 11.1.2.4.0 et antérieures | ||
| Oracle | N/A | Oracle Containers for J2EE versions 10.1.3.5.0 et antérieures | ||
| Oracle | N/A | Oracle Security Service versions 12.2.1 et antérieures | ||
| Oracle | N/A | Oracle GlassFish Server versions 2.1.1 et antérieures | ||
| Oracle | N/A | Oracle JDeveloper versions 11.1.2.3.0 et antérieures | ||
| Oracle | N/A | Oracle Web Services versions 11.1.1.6.0 et antérieures | ||
| Oracle | N/A | Oracle WebCenter Content versions 10.1.1.6.0 et antérieures |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle WebLogic Server versions 12.1.1.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Security Service versions 11.1.1.6 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Security Service versions 11.1.2.1 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Outside In Technology versions 8.4.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Outside In Technology versions 8.4.1 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Identity Analytics versions 11.1.1.5 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Identity Manager versions 11.1.2.0.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle JDeveloper versions 12.1.2.0.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebCenter Content versions 10.1.1.7.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Security Service versions 11.1.1.7 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle GlassFish Server versions 3.0.1 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle GlassFish Server versions 3.1.2 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Identity Manager versions 11.1.2.1.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Web Cache versions 11.1.1.6 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Web Services versions 10.1.3.5.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Access Manager versions 11.1.2.0.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebCenter Content versions 10.1.1.8.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Web Cache versions 11.1.1.7 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebLogic Server versions 10.3.6.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Portal versions 11.1.1.6.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Access Manager versions 11.1.1.5.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle JDeveloper versions 11.1.2.4.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Containers for J2EE versions 10.1.3.5.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Security Service versions 12.2.1 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle GlassFish Server versions 2.1.1 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle JDeveloper versions 11.1.2.3.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Web Services versions 11.1.1.6.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebCenter Content versions 10.1.1.6.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2013-5798",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5798"
},
{
"name": "CVE-2013-5816",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5816"
},
{
"name": "CVE-2013-5773",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5773"
},
{
"name": "CVE-2013-3828",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3828"
},
{
"name": "CVE-2013-3836",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3836"
},
{
"name": "CVE-2013-3624",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3624"
},
{
"name": "CVE-2013-0169",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0169"
},
{
"name": "CVE-2013-5813",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5813"
},
{
"name": "CVE-2013-3827",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3827"
},
{
"name": "CVE-2013-5815",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5815"
},
{
"name": "CVE-2013-2172",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2172"
},
{
"name": "CVE-2013-5791",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5791"
},
{
"name": "CVE-2013-3831",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3831"
},
{
"name": "CVE-2013-3833",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3833"
},
{
"name": "CVE-2011-3389",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3389"
}
],
"links": [],
"reference": "CERTA-2013-AVI-575",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-10-16T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eOracle Fusion Middleware\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer un d\u00e9ni de service, une atteinte\n\u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Fusion Middleware",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle CPUOct2013 du 16 octobre 2013",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"
}
]
}
CERTA-2013-AVI-575
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été corrigées dans Oracle Fusion Middleware. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | N/A | Oracle WebLogic Server versions 12.1.1.0 et antérieures | ||
| Oracle | N/A | Oracle Security Service versions 11.1.1.6 et antérieures | ||
| Oracle | N/A | Oracle Security Service versions 11.1.2.1 et antérieures | ||
| Oracle | N/A | Oracle Outside In Technology versions 8.4.0 et antérieures | ||
| Oracle | N/A | Oracle Outside In Technology versions 8.4.1 et antérieures | ||
| Oracle | N/A | Oracle Identity Analytics versions 11.1.1.5 et antérieures | ||
| Oracle | N/A | Oracle Identity Manager versions 11.1.2.0.0 et antérieures | ||
| Oracle | N/A | Oracle JDeveloper versions 12.1.2.0.0 et antérieures | ||
| Oracle | N/A | Oracle WebCenter Content versions 10.1.1.7.0 et antérieures | ||
| Oracle | N/A | Oracle Security Service versions 11.1.1.7 et antérieures | ||
| Oracle | N/A | Oracle GlassFish Server versions 3.0.1 et antérieures | ||
| Oracle | N/A | Oracle GlassFish Server versions 3.1.2 et antérieures | ||
| Oracle | N/A | Oracle Identity Manager versions 11.1.2.1.0 et antérieures | ||
| Oracle | N/A | Oracle Web Cache versions 11.1.1.6 et antérieures | ||
| Oracle | N/A | Oracle Web Services versions 10.1.3.5.0 et antérieures | ||
| Oracle | N/A | Oracle Access Manager versions 11.1.2.0.0 et antérieures | ||
| Oracle | N/A | Oracle WebCenter Content versions 10.1.1.8.0 et antérieures | ||
| Oracle | N/A | Oracle Web Cache versions 11.1.1.7 et antérieures | ||
| Oracle | N/A | Oracle WebLogic Server versions 10.3.6.0 et antérieures | ||
| Oracle | N/A | Oracle Portal versions 11.1.1.6.0 et antérieures | ||
| Oracle | N/A | Oracle Access Manager versions 11.1.1.5.0 et antérieures | ||
| Oracle | N/A | Oracle JDeveloper versions 11.1.2.4.0 et antérieures | ||
| Oracle | N/A | Oracle Containers for J2EE versions 10.1.3.5.0 et antérieures | ||
| Oracle | N/A | Oracle Security Service versions 12.2.1 et antérieures | ||
| Oracle | N/A | Oracle GlassFish Server versions 2.1.1 et antérieures | ||
| Oracle | N/A | Oracle JDeveloper versions 11.1.2.3.0 et antérieures | ||
| Oracle | N/A | Oracle Web Services versions 11.1.1.6.0 et antérieures | ||
| Oracle | N/A | Oracle WebCenter Content versions 10.1.1.6.0 et antérieures |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle WebLogic Server versions 12.1.1.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Security Service versions 11.1.1.6 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Security Service versions 11.1.2.1 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Outside In Technology versions 8.4.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Outside In Technology versions 8.4.1 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Identity Analytics versions 11.1.1.5 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Identity Manager versions 11.1.2.0.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle JDeveloper versions 12.1.2.0.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebCenter Content versions 10.1.1.7.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Security Service versions 11.1.1.7 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle GlassFish Server versions 3.0.1 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle GlassFish Server versions 3.1.2 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Identity Manager versions 11.1.2.1.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Web Cache versions 11.1.1.6 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Web Services versions 10.1.3.5.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Access Manager versions 11.1.2.0.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebCenter Content versions 10.1.1.8.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Web Cache versions 11.1.1.7 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebLogic Server versions 10.3.6.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Portal versions 11.1.1.6.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Access Manager versions 11.1.1.5.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle JDeveloper versions 11.1.2.4.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Containers for J2EE versions 10.1.3.5.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Security Service versions 12.2.1 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle GlassFish Server versions 2.1.1 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle JDeveloper versions 11.1.2.3.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Web Services versions 11.1.1.6.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebCenter Content versions 10.1.1.6.0 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2013-5798",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5798"
},
{
"name": "CVE-2013-5816",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5816"
},
{
"name": "CVE-2013-5773",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5773"
},
{
"name": "CVE-2013-3828",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3828"
},
{
"name": "CVE-2013-3836",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3836"
},
{
"name": "CVE-2013-3624",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3624"
},
{
"name": "CVE-2013-0169",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0169"
},
{
"name": "CVE-2013-5813",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5813"
},
{
"name": "CVE-2013-3827",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3827"
},
{
"name": "CVE-2013-5815",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5815"
},
{
"name": "CVE-2013-2172",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2172"
},
{
"name": "CVE-2013-5791",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-5791"
},
{
"name": "CVE-2013-3831",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3831"
},
{
"name": "CVE-2013-3833",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3833"
},
{
"name": "CVE-2011-3389",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-3389"
}
],
"links": [],
"reference": "CERTA-2013-AVI-575",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-10-16T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eOracle Fusion Middleware\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer un d\u00e9ni de service, une atteinte\n\u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Fusion Middleware",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle CPUOct2013 du 16 octobre 2013",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"
}
]
}
FKIE_CVE-2013-3827
Vulnerability from fkie_nvd - Published: 2013-10-16 15:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oracle | fusion_middleware | 2.1.1 | |
| oracle | fusion_middleware | 3.0.1 | |
| oracle | fusion_middleware | 3.1.2 | |
| oracle | fusion_middleware | 10.3.6 | |
| oracle | fusion_middleware | 11.1.2.3.0 | |
| oracle | fusion_middleware | 11.1.2.4.0 | |
| oracle | fusion_middleware | 12.1.1 | |
| oracle | fusion_middleware | 12.1.2.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "65528D4C-7391-403D-9E26-F97CE8CD18D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D6D8ECF3-446C-4698-8A0D-77983E5C8C73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "41E6A1C1-BDF6-4C1C-A089-E6537E3D576C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:10.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "60E0074D-084B-486B-AE30-C6B91F5AF16D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:11.1.2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20C3A3CA-4F97-4D4C-AA1F-D674FEFA0CB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:11.1.2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "19BA27FF-CE57-4785-9321-E11287A5927B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:12.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B5DF787A-1E24-408B-8956-16A2A6B2015C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:12.1.2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D4E67774-F4FB-4EA3-A527-92EF41F84248",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en el componente de Oracle GlassFish Server en Oracle Fusion Middleware 2.1.1, 3.0.1 y 3.1.2, el componente de Oracle JDeveloper de Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0 y 12.1.2.0. 0, y el componente de Oracle WebLogic Server en Oracle Fusion Middleware 10.3.6.0 y 12.1.1 que permite a atacantes remotos afectar la confidencialidad a trav\u00e9s de vectores desconocidos relacionados con Java Server Faces o el Web Container."
}
],
"id": "CVE-2013-3827",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-10-16T15:55:33.820",
"references": [
{
"source": "secalert_us@oracle.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
},
{
"source": "secalert_us@oracle.com",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/526012"
},
{
"source": "secalert_us@oracle.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"
},
{
"source": "secalert_us@oracle.com",
"url": "http://www.securityfocus.com/bid/63052"
},
{
"source": "secalert_us@oracle.com",
"url": "http://www.securitytracker.com/id/1029190"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/526012"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/63052"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1029190"
}
],
"sourceIdentifier": "secalert_us@oracle.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
RHSA-2014_0029
Vulnerability from csaf_redhat - Published: 2014-01-15 17:45 - Updated: 2024-11-22 07:29Summary
Red Hat Security Advisory: Red Hat JBoss Data Grid 6.2.0 update
Notes
Topic
Red Hat JBoss Data Grid 6.2.0, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Red Hat JBoss Data Grid is a distributed in-memory data grid, based on
Infinispan.
This release of Red Hat JBoss Data Grid 6.2.0 serves as a replacement for
Red Hat JBoss Data Grid 6.1.0. It includes various bug fixes and
enhancements which are detailed in the Red Hat JBoss Data Grid 6.2.0
Release Notes. The Release Notes will be available shortly from
https://access.redhat.com/site/documentation/Red_Hat_JBoss_Data_Grid/
This update also fixes the following security issues:
Multiple path traversal flaws where found in the Mojarra JSF2
implementation for identifying resources by name or by library.
An unauthenticated, remote attacker could use these flaws to gather
otherwise undisclosed information from within an application's root
directory. (CVE-2013-3827)
It was found that the SolrResourceLoader class in Apache Solr allowed
loading of resources via absolute paths, or relative paths which were not
sanitized for directory traversal. Some Solr components expose REST
interfaces which load resources (XSL style sheets and Velocity templates)
via SolrResourceLoader, using paths identified by REST parameters. A remote
attacker could use this flaw to load arbitrary local files on the server
via SolrResourceLoader, potentially resulting in information disclosure or
remote code execution. (CVE-2013-6397)
It was found that the XML and XSLT UpdateRequestHandler classes in Apache
Solr would resolve external entities, allowing an attacker to conduct XML
External Entity (XXE) attacks. A remote attacker could use this flaw to
read files accessible to the user running the application server, and
potentially perform other more advanced XXE attacks. (CVE-2012-6612,
CVE-2013-6407)
It was found that the DocumentAnalysisRequestHandler class in Apache Solr
would resolve external entities, allowing an attacker to conduct XXE
attacks. A remote attacker could use this flaw to read files accessible to
the user running the application server, and potentially perform other more
advanced XXE attacks. (CVE-2013-6408)
The data file used by PicketBox Vault to store encrypted passwords contains
a copy of its own admin key. The file is encrypted using only this admin
key, not the corresponding JKS key. A local attacker with permission to
read the vault data file could read the admin key from the file.
(CVE-2013-1921)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed. (CVE-2013-2035)
A flaw was found in JGroup's DiagnosticsHandler that allowed an attacker on
an adjacent network to reuse the credentials from a previous successful
authentication. This could be exploited to read diagnostic information
(information disclosure) and attain limited remote code execution.
(CVE-2013-4112)
Note that CVE-2013-6397, CVE-2013-6407, and CVE-2013-6408 are not exposed
by default. They are only exploitable if a user has manually exposed
servlets provided in the Apachr Solr component that ships with Red Hat
JBoss Data Grid, or written their own code that makes use of the vulnerable
elements of Apache Solr.
The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat
Product Security Team.
All users of Red Hat JBoss Data Grid 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.2.0.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Data Grid 6.2.0, which fixes multiple security issues,\nvarious bugs, and adds enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Data Grid is a distributed in-memory data grid, based on\nInfinispan.\n\nThis release of Red Hat JBoss Data Grid 6.2.0 serves as a replacement for\nRed Hat JBoss Data Grid 6.1.0. It includes various bug fixes and\nenhancements which are detailed in the Red Hat JBoss Data Grid 6.2.0\nRelease Notes. The Release Notes will be available shortly from\nhttps://access.redhat.com/site/documentation/Red_Hat_JBoss_Data_Grid/\n\nThis update also fixes the following security issues:\n\nMultiple path traversal flaws where found in the Mojarra JSF2\nimplementation for identifying resources by name or by library.\nAn unauthenticated, remote attacker could use these flaws to gather\notherwise undisclosed information from within an application\u0027s root\ndirectory. (CVE-2013-3827)\n\nIt was found that the SolrResourceLoader class in Apache Solr allowed\nloading of resources via absolute paths, or relative paths which were not\nsanitized for directory traversal. Some Solr components expose REST\ninterfaces which load resources (XSL style sheets and Velocity templates)\nvia SolrResourceLoader, using paths identified by REST parameters. A remote\nattacker could use this flaw to load arbitrary local files on the server\nvia SolrResourceLoader, potentially resulting in information disclosure or\nremote code execution. (CVE-2013-6397)\n\nIt was found that the XML and XSLT UpdateRequestHandler classes in Apache\nSolr would resolve external entities, allowing an attacker to conduct XML\nExternal Entity (XXE) attacks. A remote attacker could use this flaw to\nread files accessible to the user running the application server, and\npotentially perform other more advanced XXE attacks. (CVE-2012-6612,\nCVE-2013-6407)\n\nIt was found that the DocumentAnalysisRequestHandler class in Apache Solr\nwould resolve external entities, allowing an attacker to conduct XXE\nattacks. A remote attacker could use this flaw to read files accessible to\nthe user running the application server, and potentially perform other more\nadvanced XXE attacks. (CVE-2013-6408)\n\nThe data file used by PicketBox Vault to store encrypted passwords contains\na copy of its own admin key. The file is encrypted using only this admin\nkey, not the corresponding JKS key. A local attacker with permission to\nread the vault data file could read the admin key from the file.\n(CVE-2013-1921)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp/ when the native libraries were bundled in a JAR file, and no\ncustom library path was specified. A local attacker could overwrite these\nnative libraries with malicious versions during the window between when\nHawtJNI writes them and when they are executed. (CVE-2013-2035)\n\nA flaw was found in JGroup\u0027s DiagnosticsHandler that allowed an attacker on\nan adjacent network to reuse the credentials from a previous successful\nauthentication. This could be exploited to read diagnostic information\n(information disclosure) and attain limited remote code execution.\n(CVE-2013-4112)\n\nNote that CVE-2013-6397, CVE-2013-6407, and CVE-2013-6408 are not exposed\nby default. They are only exploitable if a user has manually exposed\nservlets provided in the Apachr Solr component that ships with Red Hat\nJBoss Data Grid, or written their own code that makes use of the vulnerable\nelements of Apache Solr.\n\nThe CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat\nProduct Security Team.\n\nAll users of Red Hat JBoss Data Grid 6.1.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.2.0.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0029",
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/Red_Hat_JBoss_Data_Grid/",
"url": "https://access.redhat.com/site/documentation/Red_Hat_JBoss_Data_Grid/"
},
{
"category": "external",
"summary": "948106",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=948106"
},
{
"category": "external",
"summary": "958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "983489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=983489"
},
{
"category": "external",
"summary": "1035062",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035062"
},
{
"category": "external",
"summary": "1035981",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035981"
},
{
"category": "external",
"summary": "1035985",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035985"
},
{
"category": "external",
"summary": "1038898",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1038898"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0029.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Data Grid 6.2.0 update",
"tracking": {
"current_release_date": "2024-11-22T07:29:14+00:00",
"generator": {
"date": "2024-11-22T07:29:14+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:0029",
"initial_release_date": "2014-01-15T17:45:50+00:00",
"revision_history": [
{
"date": "2014-01-15T17:45:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:32:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:29:14+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Data Grid 6.2",
"product": {
"name": "Red Hat JBoss Data Grid 6.2",
"product_id": "Red Hat JBoss Data Grid 6.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_grid:6.2.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Grid"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-6612",
"discovery_date": "2013-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1035981"
}
],
"notes": [
{
"category": "description",
"text": "The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Solr: XML eXternal Entity (XXE) flaw in XML and XSLT UpdateRequestHandler",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-6612"
},
{
"category": "external",
"summary": "RHBZ#1035981",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035981"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-6612",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6612"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-6612",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6612"
}
],
"release_date": "2012-09-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Solr: XML eXternal Entity (XXE) flaw in XML and XSLT UpdateRequestHandler"
},
{
"cve": "CVE-2013-1921",
"discovery_date": "2013-04-03T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "948106"
}
],
"notes": [
{
"category": "description",
"text": "PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "PicketBox: Insecure storage of masked passwords",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1921"
},
{
"category": "external",
"summary": "RHBZ#948106",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=948106"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1921",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1921"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1921",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1921"
}
],
"release_date": "2013-09-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 1.7,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "PicketBox: Insecure storage of masked passwords"
},
{
"acknowledgments": [
{
"names": [
"Florian Weimer"
],
"organization": "Red Hat Product Security Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-2035",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2013-04-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "958618"
}
],
"notes": [
{
"category": "description",
"text": "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2035"
},
{
"category": "external",
"summary": "RHBZ#958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2035",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035"
}
],
"release_date": "2013-05-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "HawtJNI: predictable temporary file name leading to local arbitrary code execution"
},
{
"cve": "CVE-2013-3827",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2013-12-03T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1038898"
}
],
"notes": [
{
"category": "description",
"text": "Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JSF2: Multiple Information Disclosure flaws due to unsafe path traversal",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-3827"
},
{
"category": "external",
"summary": "RHBZ#1038898",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1038898"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-3827",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3827"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-3827",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3827"
}
],
"release_date": "2013-10-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "JSF2: Multiple Information Disclosure flaws due to unsafe path traversal"
},
{
"cve": "CVE-2013-4112",
"discovery_date": "2013-07-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "983489"
}
],
"notes": [
{
"category": "description",
"text": "The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code by reusing valid credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JGroups: Authentication via cached credentials",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-4112"
},
{
"category": "external",
"summary": "RHBZ#983489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=983489"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-4112",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4112"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4112",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4112"
}
],
"release_date": "2013-07-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "JGroups: Authentication via cached credentials"
},
{
"cve": "CVE-2013-6397",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2013-11-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1035062"
}
],
"notes": [
{
"category": "description",
"text": "Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Solr: directory traversal when loading XSL stylesheets and Velocity templates",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6397"
},
{
"category": "external",
"summary": "RHBZ#1035062",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035062"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6397",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6397"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6397",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6397"
},
{
"category": "external",
"summary": "http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html",
"url": "http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html"
}
],
"release_date": "2013-11-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Solr: directory traversal when loading XSL stylesheets and Velocity templates"
},
{
"cve": "CVE-2013-6407",
"discovery_date": "2013-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1035981"
}
],
"notes": [
{
"category": "description",
"text": "The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Solr: XML eXternal Entity (XXE) flaw in XML and XSLT UpdateRequestHandler",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6407"
},
{
"category": "external",
"summary": "RHBZ#1035981",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035981"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6407",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6407"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6407",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6407"
}
],
"release_date": "2012-09-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Solr: XML eXternal Entity (XXE) flaw in XML and XSLT UpdateRequestHandler"
},
{
"cve": "CVE-2013-6408",
"discovery_date": "2013-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1035985"
}
],
"notes": [
{
"category": "description",
"text": "The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Solr: XML eXternal Entity (XXE) flaw in DocumentAnalysisRequestHandler",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6408"
},
{
"category": "external",
"summary": "RHBZ#1035985",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035985"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6408",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6408"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6408",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6408"
}
],
"release_date": "2013-05-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Solr: XML eXternal Entity (XXE) flaw in DocumentAnalysisRequestHandler"
}
]
}
RHSA-2014:0029
Vulnerability from csaf_redhat - Published: 2014-01-15 17:45 - Updated: 2025-11-21 17:46Summary
Red Hat Security Advisory: Red Hat JBoss Data Grid 6.2.0 update
Notes
Topic
Red Hat JBoss Data Grid 6.2.0, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Red Hat JBoss Data Grid is a distributed in-memory data grid, based on
Infinispan.
This release of Red Hat JBoss Data Grid 6.2.0 serves as a replacement for
Red Hat JBoss Data Grid 6.1.0. It includes various bug fixes and
enhancements which are detailed in the Red Hat JBoss Data Grid 6.2.0
Release Notes. The Release Notes will be available shortly from
https://access.redhat.com/site/documentation/Red_Hat_JBoss_Data_Grid/
This update also fixes the following security issues:
Multiple path traversal flaws where found in the Mojarra JSF2
implementation for identifying resources by name or by library.
An unauthenticated, remote attacker could use these flaws to gather
otherwise undisclosed information from within an application's root
directory. (CVE-2013-3827)
It was found that the SolrResourceLoader class in Apache Solr allowed
loading of resources via absolute paths, or relative paths which were not
sanitized for directory traversal. Some Solr components expose REST
interfaces which load resources (XSL style sheets and Velocity templates)
via SolrResourceLoader, using paths identified by REST parameters. A remote
attacker could use this flaw to load arbitrary local files on the server
via SolrResourceLoader, potentially resulting in information disclosure or
remote code execution. (CVE-2013-6397)
It was found that the XML and XSLT UpdateRequestHandler classes in Apache
Solr would resolve external entities, allowing an attacker to conduct XML
External Entity (XXE) attacks. A remote attacker could use this flaw to
read files accessible to the user running the application server, and
potentially perform other more advanced XXE attacks. (CVE-2012-6612,
CVE-2013-6407)
It was found that the DocumentAnalysisRequestHandler class in Apache Solr
would resolve external entities, allowing an attacker to conduct XXE
attacks. A remote attacker could use this flaw to read files accessible to
the user running the application server, and potentially perform other more
advanced XXE attacks. (CVE-2013-6408)
The data file used by PicketBox Vault to store encrypted passwords contains
a copy of its own admin key. The file is encrypted using only this admin
key, not the corresponding JKS key. A local attacker with permission to
read the vault data file could read the admin key from the file.
(CVE-2013-1921)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed. (CVE-2013-2035)
A flaw was found in JGroup's DiagnosticsHandler that allowed an attacker on
an adjacent network to reuse the credentials from a previous successful
authentication. This could be exploited to read diagnostic information
(information disclosure) and attain limited remote code execution.
(CVE-2013-4112)
Note that CVE-2013-6397, CVE-2013-6407, and CVE-2013-6408 are not exposed
by default. They are only exploitable if a user has manually exposed
servlets provided in the Apachr Solr component that ships with Red Hat
JBoss Data Grid, or written their own code that makes use of the vulnerable
elements of Apache Solr.
The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat
Product Security Team.
All users of Red Hat JBoss Data Grid 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.2.0.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Data Grid 6.2.0, which fixes multiple security issues,\nvarious bugs, and adds enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Data Grid is a distributed in-memory data grid, based on\nInfinispan.\n\nThis release of Red Hat JBoss Data Grid 6.2.0 serves as a replacement for\nRed Hat JBoss Data Grid 6.1.0. It includes various bug fixes and\nenhancements which are detailed in the Red Hat JBoss Data Grid 6.2.0\nRelease Notes. The Release Notes will be available shortly from\nhttps://access.redhat.com/site/documentation/Red_Hat_JBoss_Data_Grid/\n\nThis update also fixes the following security issues:\n\nMultiple path traversal flaws where found in the Mojarra JSF2\nimplementation for identifying resources by name or by library.\nAn unauthenticated, remote attacker could use these flaws to gather\notherwise undisclosed information from within an application\u0027s root\ndirectory. (CVE-2013-3827)\n\nIt was found that the SolrResourceLoader class in Apache Solr allowed\nloading of resources via absolute paths, or relative paths which were not\nsanitized for directory traversal. Some Solr components expose REST\ninterfaces which load resources (XSL style sheets and Velocity templates)\nvia SolrResourceLoader, using paths identified by REST parameters. A remote\nattacker could use this flaw to load arbitrary local files on the server\nvia SolrResourceLoader, potentially resulting in information disclosure or\nremote code execution. (CVE-2013-6397)\n\nIt was found that the XML and XSLT UpdateRequestHandler classes in Apache\nSolr would resolve external entities, allowing an attacker to conduct XML\nExternal Entity (XXE) attacks. A remote attacker could use this flaw to\nread files accessible to the user running the application server, and\npotentially perform other more advanced XXE attacks. (CVE-2012-6612,\nCVE-2013-6407)\n\nIt was found that the DocumentAnalysisRequestHandler class in Apache Solr\nwould resolve external entities, allowing an attacker to conduct XXE\nattacks. A remote attacker could use this flaw to read files accessible to\nthe user running the application server, and potentially perform other more\nadvanced XXE attacks. (CVE-2013-6408)\n\nThe data file used by PicketBox Vault to store encrypted passwords contains\na copy of its own admin key. The file is encrypted using only this admin\nkey, not the corresponding JKS key. A local attacker with permission to\nread the vault data file could read the admin key from the file.\n(CVE-2013-1921)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp/ when the native libraries were bundled in a JAR file, and no\ncustom library path was specified. A local attacker could overwrite these\nnative libraries with malicious versions during the window between when\nHawtJNI writes them and when they are executed. (CVE-2013-2035)\n\nA flaw was found in JGroup\u0027s DiagnosticsHandler that allowed an attacker on\nan adjacent network to reuse the credentials from a previous successful\nauthentication. This could be exploited to read diagnostic information\n(information disclosure) and attain limited remote code execution.\n(CVE-2013-4112)\n\nNote that CVE-2013-6397, CVE-2013-6407, and CVE-2013-6408 are not exposed\nby default. They are only exploitable if a user has manually exposed\nservlets provided in the Apachr Solr component that ships with Red Hat\nJBoss Data Grid, or written their own code that makes use of the vulnerable\nelements of Apache Solr.\n\nThe CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat\nProduct Security Team.\n\nAll users of Red Hat JBoss Data Grid 6.1.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.2.0.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0029",
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/Red_Hat_JBoss_Data_Grid/",
"url": "https://access.redhat.com/site/documentation/Red_Hat_JBoss_Data_Grid/"
},
{
"category": "external",
"summary": "948106",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=948106"
},
{
"category": "external",
"summary": "958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "983489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=983489"
},
{
"category": "external",
"summary": "1035062",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035062"
},
{
"category": "external",
"summary": "1035981",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035981"
},
{
"category": "external",
"summary": "1035985",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035985"
},
{
"category": "external",
"summary": "1038898",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1038898"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0029.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Data Grid 6.2.0 update",
"tracking": {
"current_release_date": "2025-11-21T17:46:52+00:00",
"generator": {
"date": "2025-11-21T17:46:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2014:0029",
"initial_release_date": "2014-01-15T17:45:50+00:00",
"revision_history": [
{
"date": "2014-01-15T17:45:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:32:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:46:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Data Grid 6.2",
"product": {
"name": "Red Hat JBoss Data Grid 6.2",
"product_id": "Red Hat JBoss Data Grid 6.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_grid:6.2.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Grid"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-6612",
"discovery_date": "2013-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1035981"
}
],
"notes": [
{
"category": "description",
"text": "The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Solr: XML eXternal Entity (XXE) flaw in XML and XSLT UpdateRequestHandler",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-6612"
},
{
"category": "external",
"summary": "RHBZ#1035981",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035981"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-6612",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6612"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-6612",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6612"
}
],
"release_date": "2012-09-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Solr: XML eXternal Entity (XXE) flaw in XML and XSLT UpdateRequestHandler"
},
{
"cve": "CVE-2013-1921",
"discovery_date": "2013-04-03T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "948106"
}
],
"notes": [
{
"category": "description",
"text": "PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "PicketBox: Insecure storage of masked passwords",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1921"
},
{
"category": "external",
"summary": "RHBZ#948106",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=948106"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1921",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1921"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1921",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1921"
}
],
"release_date": "2013-09-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 1.7,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "PicketBox: Insecure storage of masked passwords"
},
{
"acknowledgments": [
{
"names": [
"Florian Weimer"
],
"organization": "Red Hat Product Security Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-2035",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2013-04-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "958618"
}
],
"notes": [
{
"category": "description",
"text": "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2035"
},
{
"category": "external",
"summary": "RHBZ#958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2035",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035"
}
],
"release_date": "2013-05-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "HawtJNI: predictable temporary file name leading to local arbitrary code execution"
},
{
"cve": "CVE-2013-3827",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2013-12-03T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1038898"
}
],
"notes": [
{
"category": "description",
"text": "Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JSF2: Multiple Information Disclosure flaws due to unsafe path traversal",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-3827"
},
{
"category": "external",
"summary": "RHBZ#1038898",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1038898"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-3827",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3827"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-3827",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3827"
}
],
"release_date": "2013-10-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "JSF2: Multiple Information Disclosure flaws due to unsafe path traversal"
},
{
"cve": "CVE-2013-4112",
"discovery_date": "2013-07-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "983489"
}
],
"notes": [
{
"category": "description",
"text": "The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code by reusing valid credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JGroups: Authentication via cached credentials",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-4112"
},
{
"category": "external",
"summary": "RHBZ#983489",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=983489"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-4112",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4112"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4112",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4112"
}
],
"release_date": "2013-07-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "JGroups: Authentication via cached credentials"
},
{
"cve": "CVE-2013-6397",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2013-11-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1035062"
}
],
"notes": [
{
"category": "description",
"text": "Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Solr: directory traversal when loading XSL stylesheets and Velocity templates",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6397"
},
{
"category": "external",
"summary": "RHBZ#1035062",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035062"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6397",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6397"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6397",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6397"
},
{
"category": "external",
"summary": "http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html",
"url": "http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html"
}
],
"release_date": "2013-11-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Solr: directory traversal when loading XSL stylesheets and Velocity templates"
},
{
"cve": "CVE-2013-6407",
"discovery_date": "2013-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1035981"
}
],
"notes": [
{
"category": "description",
"text": "The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Solr: XML eXternal Entity (XXE) flaw in XML and XSLT UpdateRequestHandler",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6407"
},
{
"category": "external",
"summary": "RHBZ#1035981",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035981"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6407",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6407"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6407",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6407"
}
],
"release_date": "2012-09-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Solr: XML eXternal Entity (XXE) flaw in XML and XSLT UpdateRequestHandler"
},
{
"cve": "CVE-2013-6408",
"discovery_date": "2013-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1035985"
}
],
"notes": [
{
"category": "description",
"text": "The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Solr: XML eXternal Entity (XXE) flaw in DocumentAnalysisRequestHandler",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Grid 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6408"
},
{
"category": "external",
"summary": "RHBZ#1035985",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1035985"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6408",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6408"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6408",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6408"
}
],
"release_date": "2013-05-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-15T17:45:50+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.",
"product_ids": [
"Red Hat JBoss Data Grid 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Grid 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Solr: XML eXternal Entity (XXE) flaw in DocumentAnalysisRequestHandler"
}
]
}
GSD-2013-3827
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-3827",
"description": "Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.",
"id": "GSD-2013-3827",
"references": [
"https://access.redhat.com/errata/RHSA-2014:0029"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2013-3827"
],
"details": "Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.",
"id": "GSD-2013-3827",
"modified": "2023-12-13T01:22:22.894394Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2013-3827",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "63052",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/63052"
},
{
"name": "RHSA-2014:0029",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
},
{
"name": "VU#526012",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/526012"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"
},
{
"name": "1029190",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1029190"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[2-alpha0,2.1.18]",
"affected_versions": "All versions starting from 2-alpha0 up to 2.1.18",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2016-12-30",
"description": "This package allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.",
"fixed_versions": [
"2.1.19"
],
"identifier": "CVE-2013-3827",
"identifiers": [
"CVE-2013-3827"
],
"not_impacted": "All versions before 2-alpha0, all versions after 2.1.18",
"package_slug": "maven/com.sun.faces/jsf-impl",
"pubdate": "2013-10-16",
"solution": "Upgrade to version 2.1.19 or above.",
"title": "XML External Entity (XXE) injection",
"urls": [
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-3827"
],
"uuid": "457b6737-a09b-4ebb-b39d-5cca1a033b0c"
},
{
"affected_range": "[2.0.0,2.1.19)",
"affected_versions": "All versions starting from 2.0.0 before 2.1.19",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-352",
"CWE-937"
],
"date": "2022-11-03",
"description": "Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.",
"fixed_versions": [
"2.1.19"
],
"identifier": "CVE-2013-3827",
"identifiers": [
"GHSA-q388-j7cw-ff7w",
"CVE-2013-3827"
],
"not_impacted": "All versions before 2.0.0, all versions starting from 2.1.19",
"package_slug": "maven/org.glassfish/javax.faces",
"pubdate": "2022-05-17",
"solution": "Upgrade to version 2.1.19 or above.",
"title": "Relative Path Traversal",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2013-3827",
"http://rhn.redhat.com/errata/RHSA-2014-0029.html",
"http://www.kb.cert.org/vuls/id/526012",
"https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-3827",
"https://github.com/advisories/GHSA-q388-j7cw-ff7w"
],
"uuid": "c1e795ae-da01-4f44-8f18-7bc23e476c56"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware:11.1.2.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware:11.1.2.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware:3.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware:12.1.2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware:12.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware:10.3.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware:2.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2013-3827"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"
},
{
"name": "1029190",
"refsource": "SECTRACK",
"tags": [],
"url": "http://www.securitytracker.com/id/1029190"
},
{
"name": "VU#526012",
"refsource": "CERT-VN",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/526012"
},
{
"name": "RHSA-2014:0029",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
},
{
"name": "63052",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/63052"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2016-12-31T02:59Z",
"publishedDate": "2013-10-16T15:55Z"
}
}
}
GHSA-Q388-J7CW-FF7W
Vulnerability from github – Published: 2022-05-17 03:13 – Updated: 2022-11-03 22:33
VLAI?
Summary
Path Traversal in Eclipse Mojarra
Details
Multiple path traversal flaws where found in Mojarra JSF2 implementation for identifying resources by name or from libraries. An unauthenticated remote attacker can use these flaws to gather otherwise undisclosed information from within an application's root.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.glassfish:javax.faces"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-3827"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-03T22:33:13Z",
"nvd_published_at": "2013-10-16T15:55:00Z",
"severity": "MODERATE"
},
"details": "Multiple path traversal flaws where found in Mojarra JSF2 implementation for identifying resources by name or from libraries. An unauthenticated remote attacker can use these flaws to gather otherwise undisclosed information from within an application\u0027s root.",
"id": "GHSA-q388-j7cw-ff7w",
"modified": "2022-11-03T22:33:13Z",
"published": "2022-05-17T03:13:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3827"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-3827"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/526012"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Path Traversal in Eclipse Mojarra"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…