Action not permitted
Modal body text goes here.
cve-2014-0114
Vulnerability from cvelistv5
Published
2014-04-30 10:00
Modified
2024-08-06 09:05
Severity ?
EPSS score ?
Summary
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:05:38.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html"
},
{
"name": "57477",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57477"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/BEANUTILS-463"
},
{
"name": "58710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/58710"
},
{
"name": "MDVSA-2014:095",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689"
},
{
"name": "FEDORA-2014-9380",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20140911-0001/"
},
{
"name": "59464",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59464"
},
{
"name": "59118",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59118"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180629-0006/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://access.redhat.com/solutions/869353"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://advisories.mageia.org/MGASA-2014-0219.html"
},
{
"name": "60703",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/60703"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375"
},
{
"name": "[oss-security] 20140707 Re: CVE request for commons-beanutils: \u0027class\u0027 property is exposed, potentially leading to RCE",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/07/08/1"
},
{
"name": "RHSA-2018:2669",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
},
{
"name": "GLSA-201607-09",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201607-09"
},
{
"name": "HPSBST03160",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141451023707502\u0026w=2"
},
{
"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303"
},
{
"name": "59228",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59228"
},
{
"name": "59246",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59246"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665"
},
{
"name": "[oss-security] 20140616 CVE request for commons-beanutils: \u0027class\u0027 property is exposed, potentially leading to RCE",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/06/15/10"
},
{
"name": "59245",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59245"
},
{
"name": "HPSBMU03090",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=140801096002766\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"name": "60177",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/60177"
},
{
"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.ibm.com/support/docview.wss?uid=swg21675496"
},
{
"name": "DSA-2940",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2940"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266"
},
{
"name": "59014",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59014"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091"
},
{
"name": "67121",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/67121"
},
{
"name": "59480",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59480"
},
{
"name": "HPSBGN03041",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=140119284401582\u0026w=2"
},
{
"name": "59479",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59479"
},
{
"name": "59704",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59704"
},
{
"name": "58947",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/58947"
},
{
"name": "59718",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59718"
},
{
"name": "59430",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59430"
},
{
"name": "58851",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/58851"
},
{
"name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E"
},
{
"name": "[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "[commons-issues] 20190521 [jira] [Created] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190522 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190522 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-dev] 20190522 [beanutils2] CVE-2014-0114 Pull Request",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-dev] 20190525 Re: [beanutils2] CVE-2014-0114 Pull Request",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-commits] 20190528 [commons-beanutils] branch master updated: BEANUTILS-520: Mitigate CVE-2014-0114 by enabling SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS by default. (#7)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190528 [jira] [Closed] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #74",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E"
},
{
"name": "[commons-commits] 20190528 [commons-beanutils] branch master updated: [BEANUTILS-520] BeanUtils2 mitigate CVE-2014-0114.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190528 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #75",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E"
},
{
"name": "[commons-dev] 20190605 Re: [beanutils] Towards 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190615 [jira] [Updated] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190615 [jira] [Reopened] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190615 [jira] [Resolved] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-dev] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E"
},
{
"name": "[commons-user] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[announce] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E"
},
{
"name": "[commons-issues] 20190818 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20190903 [GitHub] [activemq-artemis] jeloba opened a new pull request #2820: Updated Apache BeanUtils to address CVE",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[activemq-issues] 20190904 [jira] [Created] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[commons-commits] 20190906 [commons-configuration] branch master updated: [CONFIGURATION-755][CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[activemq-issues] 20190909 [jira] [Work logged] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E"
},
{
"name": "RHSA-2019:2995",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2995"
},
{
"name": "[commons-issues] 20191014 [jira] [Updated] (BEANUTILS-520) Mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[activemq-issues] 20200109 [jira] [Resolved] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "[lucene-solr-user] 20200320 Re: CVEs (vulnerabilities) that apply to Solr 8.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] c-f-cooper commented on issue #4506: There is a vulnerability in beanutils 1.7.0,upgrade recommended",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-21T14:06:10",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html"
},
{
"name": "57477",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57477"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/BEANUTILS-463"
},
{
"name": "58710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/58710"
},
{
"name": "MDVSA-2014:095",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689"
},
{
"name": "FEDORA-2014-9380",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20140911-0001/"
},
{
"name": "59464",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59464"
},
{
"name": "59118",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59118"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180629-0006/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://access.redhat.com/solutions/869353"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://advisories.mageia.org/MGASA-2014-0219.html"
},
{
"name": "60703",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/60703"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375"
},
{
"name": "[oss-security] 20140707 Re: CVE request for commons-beanutils: \u0027class\u0027 property is exposed, potentially leading to RCE",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/07/08/1"
},
{
"name": "RHSA-2018:2669",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
},
{
"name": "GLSA-201607-09",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201607-09"
},
{
"name": "HPSBST03160",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141451023707502\u0026w=2"
},
{
"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303"
},
{
"name": "59228",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59228"
},
{
"name": "59246",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59246"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665"
},
{
"name": "[oss-security] 20140616 CVE request for commons-beanutils: \u0027class\u0027 property is exposed, potentially leading to RCE",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/06/15/10"
},
{
"name": "59245",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59245"
},
{
"name": "HPSBMU03090",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://marc.info/?l=bugtraq\u0026m=140801096002766\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"name": "60177",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/60177"
},
{
"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.ibm.com/support/docview.wss?uid=swg21675496"
},
{
"name": "DSA-2940",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2940"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266"
},
{
"name": "59014",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59014"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091"
},
{
"name": "67121",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/67121"
},
{
"name": "59480",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59480"
},
{
"name": "HPSBGN03041",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://marc.info/?l=bugtraq\u0026m=140119284401582\u0026w=2"
},
{
"name": "59479",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59479"
},
{
"name": "59704",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59704"
},
{
"name": "58947",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/58947"
},
{
"name": "59718",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59718"
},
{
"name": "59430",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59430"
},
{
"name": "58851",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/58851"
},
{
"name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E"
},
{
"name": "[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "[commons-issues] 20190521 [jira] [Created] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190522 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190522 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-dev] 20190522 [beanutils2] CVE-2014-0114 Pull Request",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-dev] 20190525 Re: [beanutils2] CVE-2014-0114 Pull Request",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-commits] 20190528 [commons-beanutils] branch master updated: BEANUTILS-520: Mitigate CVE-2014-0114 by enabling SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS by default. (#7)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190528 [jira] [Closed] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #74",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E"
},
{
"name": "[commons-commits] 20190528 [commons-beanutils] branch master updated: [BEANUTILS-520] BeanUtils2 mitigate CVE-2014-0114.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190528 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #75",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E"
},
{
"name": "[commons-dev] 20190605 Re: [beanutils] Towards 1.10",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190615 [jira] [Updated] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190615 [jira] [Reopened] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190615 [jira] [Resolved] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-dev] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E"
},
{
"name": "[commons-user] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[announce] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E"
},
{
"name": "[commons-issues] 20190818 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[activemq-gitbox] 20190903 [GitHub] [activemq-artemis] jeloba opened a new pull request #2820: Updated Apache BeanUtils to address CVE",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "[activemq-issues] 20190904 [jira] [Created] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[commons-commits] 20190906 [commons-configuration] branch master updated: [CONFIGURATION-755][CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[activemq-issues] 20190909 [jira] [Work logged] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E"
},
{
"name": "RHSA-2019:2995",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2995"
},
{
"name": "[commons-issues] 20191014 [jira] [Updated] (BEANUTILS-520) Mitigate CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[activemq-issues] 20200109 [jira] [Resolved] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "[lucene-solr-user] 20200320 Re: CVEs (vulnerabilities) that apply to Solr 8.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] c-f-cooper commented on issue #4506: There is a vulnerability in beanutils 1.7.0,upgrade recommended",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-0114",
"datePublished": "2014-04-30T10:00:00",
"dateReserved": "2013-12-03T00:00:00",
"dateUpdated": "2024-08-06T09:05:38.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2014-0114\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-04-30T10:49:03.973\",\"lastModified\":\"2023-02-13T00:32:29.660\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \\\"manipulate\\\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.\"},{\"lang\":\"es\",\"value\":\"Apache Commons BeanUtils, seg\u00fan se distribuye en lib/commons-beanutils-1.8.0.jar en Apache Struts 1.x hasta la versi\u00f3n 1.3.10 y en otros productos que requieren commons-beanutils hasta la versi\u00f3n 1.9.2, no suprime la propiedad class, lo que permite a atacantes remotos \\\"manipular\\\" el ClassLoader y ejecutar c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro class, seg\u00fan lo demostrado por el paso de este par\u00e1metro al m\u00e9todo getClass del objeto ActionForm en Struts 1.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":7.5},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.9.1\",\"matchCriteriaId\":\"02FF6542-F5F7-465D-9755-E4EFC8953453\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5051228-446E-461D-9B5F-8F765C7BA57F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE1B8A83-43A4-4C4F-BB95-4D9CAD882D1C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A55DDFE1-A8AB-47BB-903E-957FCF3D023D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*\",\"matchCriteriaId\":\"93FA9AE3-B453-4FE6-82A9-7DDEF3F6C464\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A3BB6FBE-469B-4920-A30B-33AD9E41ACCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*\",\"matchCriteriaId\":\"34FC82D3-CCAF-4F37-B531-2A9CA17311A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0B8B413-8C62-44B6-A382-26F35F4573D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"6309C679-890A-4214-8857-9F119CBBAA00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD882860-03D0-49E9-8CED-DE6663392548\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EDDD509E-9EBF-483F-9546-A1A3A1A3380E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2ECF5E1-457F-4E76-81F7-65114DC4E1E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2FC81E1A-2779-4FAF-866C-970752CD1828\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBD69FAE-C1A3-4213-824A-7DCCE357EB01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C34FDB0-2778-4C36-8345-F7E27509A383\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF0302D3-CB8D-4FA7-8F07-C2C7593877BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"03906D34-F3B3-4C56-A6A6-2F7A10168501\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B3872B7-2972-433D-96A1-154FA545B311\"}]}]}],\"references\":[{\"url\":\"http://advisories.mageia.org/MGASA-2014-0219.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://marc.info/?l=bugtraq\u0026m=140119284401582\u0026w=2\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://marc.info/?l=bugtraq\u0026m=140801096002766\u0026w=2\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://marc.info/?l=bugtraq\u0026m=141451023707502\u0026w=2\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://openwall.com/lists/oss-security/2014/06/15/10\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://openwall.com/lists/oss-security/2014/07/08/1\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://seclists.org/fulldisclosure/2014/Dec/23\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/57477\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/58710\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/58851\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/58947\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59014\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59118\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59228\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59245\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59246\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59430\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59464\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59479\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59480\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59704\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59718\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/60177\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/60703\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21674128\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21674812\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675266\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675387\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675689\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675898\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675972\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676091\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676110\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676303\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676375\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676931\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21677110\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg27042296\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.debian.org/security/2014/dsa-2940\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.ibm.com/support/docview.wss?uid=swg21675496\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2014:095\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/archive/1/534161/100/0/threaded\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/67121\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.vmware.com/security/advisories/VMSA-2014-0008.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.vmware.com/security/advisories/VMSA-2014-0012.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2669\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2995\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/solutions/869353\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1091938\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1116665\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://issues.apache.org/jira/browse/BEANUTILS-463\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security.gentoo.org/glsa/201607-09\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20140911-0001/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20180629-0006/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\",\"source\":\"secalert@redhat.com\"}]}}"
}
}
rhsa-2019_2995
Vulnerability from csaf_redhat
Published
2019-10-10 07:20
Modified
2024-11-05 21:27
Summary
Red Hat Security Advisory: Red Hat A-MQ Broker 7.5 release and security update
Notes
Topic
Red Hat A-MQ Broker 7.5 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.
This release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat A-MQ Broker 7.5 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2995",
"url": "https://access.redhat.com/errata/RHSA-2019:2995"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.5.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.5.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_amq/7.5/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_amq/7.5/"
},
{
"category": "external",
"summary": "1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "external",
"summary": "ENTMQBR-2849",
"url": "https://issues.redhat.com/browse/ENTMQBR-2849"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2995.json"
}
],
"title": "Red Hat Security Advisory: Red Hat A-MQ Broker 7.5 release and security update",
"tracking": {
"current_release_date": "2024-11-05T21:27:56+00:00",
"generator": {
"date": "2024-11-05T21:27:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.1.1"
}
},
"id": "RHSA-2019:2995",
"initial_release_date": "2019-10-10T07:20:12+00:00",
"revision_history": [
{
"date": "2019-10-10T07:20:12+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-10-10T07:20:12+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-05T21:27:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat AMQ Broker 7",
"product": {
"name": "Red Hat AMQ Broker 7",
"product_id": "Red Hat AMQ Broker 7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_broker:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss AMQ"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0114",
"cwe": {
"id": "CWE-470",
"name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)"
},
"discovery_date": "2014-04-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1091938"
}
],
"notes": [
{
"category": "description",
"text": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "1: Class Loader manipulation via request parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Broker 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0114"
},
{
"category": "external",
"summary": "RHBZ#1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0114",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0114"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114"
}
],
"release_date": "2014-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-10-10T07:20:12+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Broker 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2995"
},
{
"category": "workaround",
"details": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua",
"product_ids": [
"Red Hat AMQ Broker 7"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat AMQ Broker 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "1: Class Loader manipulation via request parameters"
}
]
}
rhsa-2014_0500
Vulnerability from csaf_redhat
Published
2014-05-14 19:07
Modified
2024-11-05 18:24
Summary
Red Hat Security Advisory: struts security update
Notes
Topic
Updated struts packages that fix one security issue are now available for
Red Hat Network Satellite 5.4 and 5.5, and Red Hat Satellite 5.6.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Red Hat Satellite is a systems management tool for Linux-based
infrastructures. It allows for provisioning, monitoring, and remote
management of multiple Linux deployments with a single, centralized tool.
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
All Satellite users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For this update to take
effect, the tomcat6 service must be restarted ("service tomcat6 restart").
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated struts packages that fix one security issue are now available for\nRed Hat Network Satellite 5.4 and 5.5, and Red Hat Satellite 5.6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Satellite is a systems management tool for Linux-based\ninfrastructures. It allows for provisioning, monitoring, and remote\nmanagement of multiple Linux deployments with a single, centralized tool.\n\nApache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n\u0027class\u0027 parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nAll Satellite users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. For this update to take\neffect, the tomcat6 service must be restarted (\"service tomcat6 restart\").",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0500",
"url": "https://access.redhat.com/errata/RHSA-2014:0500"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0500.json"
}
],
"title": "Red Hat Security Advisory: struts security update",
"tracking": {
"current_release_date": "2024-11-05T18:24:54+00:00",
"generator": {
"date": "2024-11-05T18:24:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.1.1"
}
},
"id": "RHSA-2014:0500",
"initial_release_date": "2014-05-14T19:07:42+00:00",
"revision_history": [
{
"date": "2014-05-14T19:07:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-06-12T06:13:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-05T18:24:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Satellite 5.4 (RHEL v.6)",
"product": {
"name": "Red Hat Satellite 5.4 (RHEL v.6)",
"product_id": "6Server-Satellite",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:network_satellite:5.4::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Satellite 5.5 (RHEL v.6)",
"product": {
"name": "Red Hat Satellite 5.5 (RHEL v.6)",
"product_id": "6Server-Satellite55",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:network_satellite:5.5::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Satellite 5.6 (RHEL v.6)",
"product": {
"name": "Red Hat Satellite 5.6 (RHEL v.6)",
"product_id": "6Server-Satellite56",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:network_satellite:5.6::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Satellite"
},
{
"branches": [
{
"category": "product_version",
"name": "struts-core-0:1.3.10-6.ep5.el6.noarch",
"product": {
"name": "struts-core-0:1.3.10-6.ep5.el6.noarch",
"product_id": "struts-core-0:1.3.10-6.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-core@1.3.10-6.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "struts-0:1.3.10-6.ep5.el6.noarch",
"product": {
"name": "struts-0:1.3.10-6.ep5.el6.noarch",
"product_id": "struts-0:1.3.10-6.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts@1.3.10-6.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"product": {
"name": "struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"product_id": "struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-tiles@1.3.10-6.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "struts-extras-0:1.3.10-6.ep5.el6.noarch",
"product": {
"name": "struts-extras-0:1.3.10-6.ep5.el6.noarch",
"product_id": "struts-extras-0:1.3.10-6.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-extras@1.3.10-6.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"product": {
"name": "struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"product_id": "struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-taglib@1.3.10-6.ep5.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "struts-0:1.3.10-6.ep5.el6.src",
"product": {
"name": "struts-0:1.3.10-6.ep5.el6.src",
"product_id": "struts-0:1.3.10-6.ep5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts@1.3.10-6.ep5.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)",
"product_id": "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite55"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.5 (RHEL v.6)",
"product_id": "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src"
},
"product_reference": "struts-0:1.3.10-6.ep5.el6.src",
"relates_to_product_reference": "6Server-Satellite55"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)",
"product_id": "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-core-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite55"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)",
"product_id": "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-extras-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite55"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)",
"product_id": "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite55"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)",
"product_id": "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite55"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)",
"product_id": "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite56"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.6 (RHEL v.6)",
"product_id": "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src"
},
"product_reference": "struts-0:1.3.10-6.ep5.el6.src",
"relates_to_product_reference": "6Server-Satellite56"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)",
"product_id": "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-core-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite56"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)",
"product_id": "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-extras-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite56"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)",
"product_id": "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite56"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)",
"product_id": "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite56"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)",
"product_id": "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.4 (RHEL v.6)",
"product_id": "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src"
},
"product_reference": "struts-0:1.3.10-6.ep5.el6.src",
"relates_to_product_reference": "6Server-Satellite"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)",
"product_id": "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-core-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)",
"product_id": "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-extras-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)",
"product_id": "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)",
"product_id": "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch"
},
"product_reference": "struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"relates_to_product_reference": "6Server-Satellite"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0114",
"cwe": {
"id": "CWE-470",
"name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)"
},
"discovery_date": "2014-04-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1091938"
}
],
"notes": [
{
"category": "description",
"text": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "1: Class Loader manipulation via request parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0114"
},
{
"category": "external",
"summary": "RHBZ#1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0114",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0114"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114"
}
],
"release_date": "2014-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-14T19:07:42+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0500"
},
{
"category": "workaround",
"details": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua",
"product_ids": [
"6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src",
"6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch",
"6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "1: Class Loader manipulation via request parameters"
}
]
}
rhsa-2018_2669
Vulnerability from csaf_redhat
Published
2018-09-11 07:53
Modified
2024-11-05 20:44
Summary
Red Hat Security Advisory: Fuse 7.1 security update
Notes
Topic
An update is now available for Red Hat Fuse.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.
This release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)
* thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands (CVE-2016-5397)
* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)
* jolokia: JMX proxy mode vulnerable to remote code execution (CVE-2018-1000130)
* bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)
* bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)
* bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)
* bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)
* bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)
* bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)
* bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)
* bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)
* async-http-client: Invalid URL parsing with '?' (CVE-2017-14063)
* undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)
* spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)
* tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service (CVE-2018-1338)
* tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service (CVE-2018-1339)
* pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)
* jolokia: Cross site scripting in the HTTP servlet (CVE-2018-1000129)
* bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)
* bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)
* bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)
* spring-framework: Multipart content pollution (CVE-2018-1272)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Fuse.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.\n\nThis release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)\n\n* thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands (CVE-2016-5397)\n\n* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)\n\n* jolokia: JMX proxy mode vulnerable to remote code execution (CVE-2018-1000130)\n\n* bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)\n\n* bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)\n\n* bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)\n\n* bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)\n\n* bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)\n\n* bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)\n\n* bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)\n\n* bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)\n\n* async-http-client: Invalid URL parsing with \u0027?\u0027 (CVE-2017-14063)\n\n* undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)\n\n* spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)\n\n* tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service (CVE-2018-1338)\n\n* tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service (CVE-2018-1339)\n\n* pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)\n\n* jolokia: Cross site scripting in the HTTP servlet (CVE-2018-1000129)\n\n* bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)\n\n* bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)\n\n* bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)\n\n* spring-framework: Multipart content pollution (CVE-2018-1272)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Chris McCown for reporting CVE-2018-8088.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2669",
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=distributions\u0026version=7.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=distributions\u0026version=7.1.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.1/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.1/"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/2939351",
"url": "https://access.redhat.com/articles/2939351"
},
{
"category": "external",
"summary": "1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "external",
"summary": "1487563",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1487563"
},
{
"category": "external",
"summary": "1544620",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1544620"
},
{
"category": "external",
"summary": "1548909",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1548909"
},
{
"category": "external",
"summary": "1559316",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1559316"
},
{
"category": "external",
"summary": "1559317",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1559317"
},
{
"category": "external",
"summary": "1564408",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1564408"
},
{
"category": "external",
"summary": "1571050",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1571050"
},
{
"category": "external",
"summary": "1572421",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1572421"
},
{
"category": "external",
"summary": "1572424",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1572424"
},
{
"category": "external",
"summary": "1573045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1573045"
},
{
"category": "external",
"summary": "1588306",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588306"
},
{
"category": "external",
"summary": "1588313",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588313"
},
{
"category": "external",
"summary": "1588314",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588314"
},
{
"category": "external",
"summary": "1588323",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588323"
},
{
"category": "external",
"summary": "1588327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588327"
},
{
"category": "external",
"summary": "1588330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588330"
},
{
"category": "external",
"summary": "1588688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588688"
},
{
"category": "external",
"summary": "1588695",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588695"
},
{
"category": "external",
"summary": "1588708",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588708"
},
{
"category": "external",
"summary": "1588715",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588715"
},
{
"category": "external",
"summary": "1588721",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588721"
},
{
"category": "external",
"summary": "1597490",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1597490"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2669.json"
}
],
"title": "Red Hat Security Advisory: Fuse 7.1 security update",
"tracking": {
"current_release_date": "2024-11-05T20:44:31+00:00",
"generator": {
"date": "2024-11-05T20:44:31+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.1.1"
}
},
"id": "RHSA-2018:2669",
"initial_release_date": "2018-09-11T07:53:47+00:00",
"revision_history": [
{
"date": "2018-09-11T07:53:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-09-11T07:53:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-05T20:44:31+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Fuse 7",
"product": {
"name": "Red Hat JBoss Fuse 7",
"product_id": "Red Hat JBoss Fuse 7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0114",
"cwe": {
"id": "CWE-470",
"name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)"
},
"discovery_date": "2014-04-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1091938"
}
],
"notes": [
{
"category": "description",
"text": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "1: Class Loader manipulation via request parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0114"
},
{
"category": "external",
"summary": "RHBZ#1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0114",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0114"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114"
}
],
"release_date": "2014-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
},
{
"category": "workaround",
"details": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua",
"product_ids": [
"Red Hat JBoss Fuse 7"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "1: Class Loader manipulation via request parameters"
},
{
"cve": "CVE-2016-5397",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2018-02-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1544620"
}
],
"notes": [
{
"category": "description",
"text": "The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "libthrift is a library used by OpenDaylight which is shipped with Red Hat OpenStack. Whilst the version of the library used contains the vulnerable code it is not used by OpenDaylight and hence not exposed.\n\nJBoss fuse 6.3 ships libthrift via insight-activemq fabric-8 profile, however the vulnerable code is not used by fabric-8 so fuse 6.3 is not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-5397"
},
{
"category": "external",
"summary": "RHBZ#1544620",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1544620"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-5397",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-5397"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-5397",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5397"
}
],
"release_date": "2016-07-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands"
},
{
"cve": "CVE-2016-1000338",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588313"
}
],
"notes": [
{
"category": "description",
"text": "In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of \u0027invisible\u0027 data into a signed structure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000338"
},
{
"category": "external",
"summary": "RHBZ#1588313",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588313"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000338",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000338"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000338",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000338"
}
],
"release_date": "2016-10-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data"
},
{
"cve": "CVE-2016-1000339",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588695"
}
],
"notes": [
{
"category": "description",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: Information leak in AESFastEngine class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000339"
},
{
"category": "external",
"summary": "RHBZ#1588695",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588695"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000339",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000339"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000339",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000339"
}
],
"release_date": "2018-06-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: Information leak in AESFastEngine class"
},
{
"cve": "CVE-2016-1000340",
"cwe": {
"id": "CWE-682",
"name": "Incorrect Calculation"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588688"
}
],
"notes": [
{
"category": "description",
"text": "In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: Carry propagation bug in math.raw.Nat??? class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Low. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000340"
},
{
"category": "external",
"summary": "RHBZ#1588688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588688"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000340",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000340"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000340",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000340"
}
],
"release_date": "2018-06-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bouncycastle: Carry propagation bug in math.raw.Nat??? class"
},
{
"cve": "CVE-2016-1000341",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588708"
}
],
"notes": [
{
"category": "description",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature\u0027s k value and ultimately the private value as well.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: Information exposure in DSA signature generation via timing attack",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000341"
},
{
"category": "external",
"summary": "RHBZ#1588708",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588708"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000341",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000341"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000341",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000341"
}
],
"release_date": "2018-06-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: Information exposure in DSA signature generation via timing attack"
},
{
"cve": "CVE-2016-1000342",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588715"
}
],
"notes": [
{
"category": "description",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of \u0027invisible\u0027 data into a signed structure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: ECDSA improper validation of ASN.1 encoding of signature",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000342"
},
{
"category": "external",
"summary": "RHBZ#1588715",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588715"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000342",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000342"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000342",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000342"
}
],
"release_date": "2018-06-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: ECDSA improper validation of ASN.1 encoding of signature"
},
{
"cve": "CVE-2016-1000343",
"cwe": {
"id": "CWE-338",
"name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588721"
}
],
"notes": [
{
"category": "description",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: DSA key pair generator generates a weak private key by default",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Low. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000343"
},
{
"category": "external",
"summary": "RHBZ#1588721",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588721"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000343",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000343"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000343",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000343"
}
],
"release_date": "2018-06-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bouncycastle: DSA key pair generator generates a weak private key by default"
},
{
"cve": "CVE-2016-1000344",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588314"
}
],
"notes": [
{
"category": "description",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: DHIES implementation allowed the use of ECB mode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000344"
},
{
"category": "external",
"summary": "RHBZ#1588314",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588314"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000344",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000344"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000344",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000344"
}
],
"release_date": "2016-04-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: DHIES implementation allowed the use of ECB mode"
},
{
"cve": "CVE-2016-1000345",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588323"
}
],
"notes": [
{
"category": "description",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000345"
},
{
"category": "external",
"summary": "RHBZ#1588323",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588323"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000345",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000345"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000345",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000345"
}
],
"release_date": "2016-04-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack"
},
{
"cve": "CVE-2016-1000346",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588327"
}
],
"notes": [
{
"category": "description",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party\u0027s private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: Other party DH public keys are not fully validated",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000346"
},
{
"category": "external",
"summary": "RHBZ#1588327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588327"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000346",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000346"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000346",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000346"
}
],
"release_date": "2016-10-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: Other party DH public keys are not fully validated"
},
{
"cve": "CVE-2016-1000352",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588330"
}
],
"notes": [
{
"category": "description",
"text": "In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: ECIES implementation allowed the use of ECB mode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000352"
},
{
"category": "external",
"summary": "RHBZ#1588330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588330"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000352",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000352"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000352",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000352"
}
],
"release_date": "2016-04-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: ECIES implementation allowed the use of ECB mode"
},
{
"cve": "CVE-2017-14063",
"discovery_date": "2017-08-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1487563"
}
],
"notes": [
{
"category": "description",
"text": "Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a \u0027?\u0027 character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "async-http-client: Invalid URL parsing with \u0027?\u0027",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-14063"
},
{
"category": "external",
"summary": "RHBZ#1487563",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1487563"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-14063",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-14063"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-14063",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14063"
}
],
"release_date": "2017-08-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "async-http-client: Invalid URL parsing with \u0027?\u0027"
},
{
"cve": "CVE-2018-1114",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-04-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1573045"
}
],
"notes": [
{
"category": "description",
"text": "It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1114"
},
{
"category": "external",
"summary": "RHBZ#1573045",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1573045"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1114",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1114"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1114",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1114"
},
{
"category": "external",
"summary": "https://bugs.openjdk.java.net/browse/JDK-6956385",
"url": "https://bugs.openjdk.java.net/browse/JDK-6956385"
},
{
"category": "external",
"summary": "https://issues.jboss.org/browse/UNDERTOW-1338",
"url": "https://issues.jboss.org/browse/UNDERTOW-1338"
}
],
"release_date": "2018-04-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service"
},
{
"cve": "CVE-2018-1271",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-04-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1571050"
}
],
"notes": [
{
"category": "description",
"text": "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-framework: Directory traversal vulnerability with static resources on Windows filesystems",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1271"
},
{
"category": "external",
"summary": "RHBZ#1571050",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1571050"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1271",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1271"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1271",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1271"
},
{
"category": "external",
"summary": "https://pivotal.io/security/cve-2018-1271",
"url": "https://pivotal.io/security/cve-2018-1271"
}
],
"release_date": "2018-04-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "spring-framework: Directory traversal vulnerability with static resources on Windows filesystems"
},
{
"cve": "CVE-2018-1272",
"cwe": {
"id": "CWE-88",
"name": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
},
"discovery_date": "2018-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1564408"
}
],
"notes": [
{
"category": "description",
"text": "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-framework: Multipart content pollution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1272"
},
{
"category": "external",
"summary": "RHBZ#1564408",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1564408"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1272",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1272"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1272",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1272"
},
{
"category": "external",
"summary": "https://pivotal.io/security/cve-2018-1272",
"url": "https://pivotal.io/security/cve-2018-1272"
}
],
"release_date": "2018-04-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "spring-framework: Multipart content pollution"
},
{
"cve": "CVE-2018-1338",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2018-04-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1572421"
}
],
"notes": [
{
"category": "description",
"text": "An infinite loop vulnerability was discovered in Apache Tika prior to version 1.18. A remote attacker could exploit this to cause a denial of service via crafted file.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of tika which is embedded in the nutch package as shipped with Red Hat Satellite 5. The tika server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1338"
},
{
"category": "external",
"summary": "RHBZ#1572421",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1572421"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1338",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1338"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1338",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1338"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread.html/4d20c5748fb9f836653bc78a1bad991ba8485d82a1e821f70b641932@%3Cdev.tika.apache.org%3E",
"url": "https://lists.apache.org/thread.html/4d20c5748fb9f836653bc78a1bad991ba8485d82a1e821f70b641932@%3Cdev.tika.apache.org%3E"
}
],
"release_date": "2018-04-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service"
},
{
"cve": "CVE-2018-1339",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2018-04-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1572424"
}
],
"notes": [
{
"category": "description",
"text": "A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika\u0027s ChmParser in versions of Apache Tika before 1.18.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of tika which is embedded in the nutch package as shipped with Red Hat Satellite 5. The tika server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1339"
},
{
"category": "external",
"summary": "RHBZ#1572424",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1572424"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1339",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1339"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1339",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1339"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread.html/4d2cb5c819401bb075e2a1130e0d14f0404a136541a6f91da0225828@%3Cdev.tika.apache.org%3E",
"url": "https://lists.apache.org/thread.html/4d2cb5c819401bb075e2a1130e0d14f0404a136541a6f91da0225828@%3Cdev.tika.apache.org%3E"
}
],
"release_date": "2018-04-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service"
},
{
"cve": "CVE-2018-8036",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-07-03T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1597490"
}
],
"notes": [
{
"category": "description",
"text": "In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox\u0027s AFMParser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While Fuse 6.3 and Fuse 7.0 ship vulnerable artifact via camel-pdfbox, however, the flawed code is not being used therefore no execution path leads to an exposure to this vulnerability, so both Fuse 6.3, 7 standalone are not affected. However, Fuse 7.0 on OpenShift ship vulnerable artifact via maven BOM, so setting Fuse 7.0 as affected for this reason only.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-8036"
},
{
"category": "external",
"summary": "RHBZ#1597490",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1597490"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-8036",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-8036"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-8036",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8036"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2018/06/29/1",
"url": "http://www.openwall.com/lists/oss-security/2018/06/29/1"
}
],
"release_date": "2018-07-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF"
},
{
"acknowledgments": [
{
"names": [
"Chris McCown"
]
}
],
"cve": "CVE-2018-8088",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2018-02-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1548909"
}
],
"notes": [
{
"category": "description",
"text": "An XML deserialization vulnerability was discovered in slf4j\u0027s EventData, which accepts an XML serialized string and can lead to arbitrary code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.\n\nThis issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath).\n\nRed Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via `yum update`.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-8088"
},
{
"category": "external",
"summary": "RHBZ#1548909",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1548909"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-8088",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-8088"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-8088",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8088"
}
],
"release_date": "2018-02-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution"
},
{
"cve": "CVE-2018-1000129",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-03-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1559317"
}
],
"notes": [
{
"category": "description",
"text": "An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jolokia: Cross site scripting in the HTTP servlet",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Product Security has rated this issue as having security impact of Low for:\n* Red Hat OpenStack Platform 9.0 (Mitaka)\n* Red Hat OpenStack Platform 10.0 (Newton) \n* Red Hat OpenStack Platform 11.0 (Ocata)\n* Red Hat OpenStack Platform 12.0 (Pike)\n\nAlthough the affected code is present in shipped packages, data returned by Jolokia is correctly processed and invalid data is not used. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1000129"
},
{
"category": "external",
"summary": "RHBZ#1559317",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1559317"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1000129",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1000129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000129"
},
{
"category": "external",
"summary": "https://jolokia.org/#Security_fixes_with_1.5.0",
"url": "https://jolokia.org/#Security_fixes_with_1.5.0"
}
],
"release_date": "2018-02-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jolokia: Cross site scripting in the HTTP servlet"
},
{
"cve": "CVE-2018-1000130",
"cwe": {
"id": "CWE-99",
"name": "Improper Control of Resource Identifiers (\u0027Resource Injection\u0027)"
},
"discovery_date": "2018-03-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1559316"
}
],
"notes": [
{
"category": "description",
"text": "A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jolokia: JMX proxy mode vulnerable to remote code execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat OpenStack Platform, although the affected code is present in shipped packages, proxy mode is not enabled by default and the affected code is not used in any supported configuration of Red Hat OpenStack Platform. For this reason, the RHOSP impact as been reduced to Low and this issue is not currently planned to be addressed in future updates.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1000130"
},
{
"category": "external",
"summary": "RHBZ#1559316",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1559316"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1000130",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1000130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000130"
},
{
"category": "external",
"summary": "https://jolokia.org/#Security_fixes_with_1.5.0",
"url": "https://jolokia.org/#Security_fixes_with_1.5.0"
}
],
"release_date": "2018-02-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jolokia: JMX proxy mode vulnerable to remote code execution"
},
{
"cve": "CVE-2018-1000180",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588306"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in BouncyCastle. The number of iterations of the Miller-Rabin primality test was incorrectly calculated (according to FIPS 186-4 C.3). Under some circumstances, this could lead to the generation of weak RSA key pairs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: flaw in the low-level interface to RSA key pair generator",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\n\nRed Hat Satellite 6.5 isn\u0027t vulnerable to this issue, since it doesn\u0027t ship bouncycastle jar file anymore.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1000180"
},
{
"category": "external",
"summary": "RHBZ#1588306",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588306"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1000180",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1000180"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180"
}
],
"release_date": "2018-04-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-11T07:53:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Fuse 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: flaw in the low-level interface to RSA key pair generator"
}
]
}
rhsa-2014_0498
Vulnerability from csaf_redhat
Published
2014-05-14 18:06
Modified
2024-11-05 18:25
Summary
Red Hat Security Advisory: Fuse ESB Enterprise 7.1.0 security update
Notes
Topic
Fuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security
update that addresses one security issue, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method.
A remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat
Customer Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Fuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security\nupdate that addresses one security issue, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n\u0027class\u0027 parameter, which is directly mapped to the getClass() method.\nA remote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat\nCustomer Portal are advised to apply this security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0498",
"url": "https://access.redhat.com/errata/RHSA-2014:0498"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0"
},
{
"category": "external",
"summary": "1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0498.json"
}
],
"title": "Red Hat Security Advisory: Fuse ESB Enterprise 7.1.0 security update",
"tracking": {
"current_release_date": "2024-11-05T18:25:32+00:00",
"generator": {
"date": "2024-11-05T18:25:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.1.1"
}
},
"id": "RHSA-2014:0498",
"initial_release_date": "2014-05-14T18:06:52+00:00",
"revision_history": [
{
"date": "2014-05-14T18:06:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-05-14T18:06:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-05T18:25:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fuse ESB Enterprise 7.1.0",
"product": {
"name": "Fuse ESB Enterprise 7.1.0",
"product_id": "Fuse ESB Enterprise 7.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_esb_enterprise:7.1.0"
}
}
}
],
"category": "product_family",
"name": "Fuse Enterprise Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0114",
"cwe": {
"id": "CWE-470",
"name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)"
},
"discovery_date": "2014-04-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1091938"
}
],
"notes": [
{
"category": "description",
"text": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "1: Class Loader manipulation via request parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse ESB Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0114"
},
{
"category": "external",
"summary": "RHBZ#1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0114",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0114"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114"
}
],
"release_date": "2014-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-14T18:06:52+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse ESB Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0498"
},
{
"category": "workaround",
"details": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua",
"product_ids": [
"Fuse ESB Enterprise 7.1.0"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Fuse ESB Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "1: Class Loader manipulation via request parameters"
}
]
}
rhsa-2014_0474
Vulnerability from csaf_redhat
Published
2014-05-07 04:56
Modified
2024-11-05 18:24
Summary
Red Hat Security Advisory: struts security update
Notes
Topic
Updated struts packages that fix one security issue are now available for
Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
All struts users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. All running applications
using struts must be restarted for this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated struts packages that fix one security issue are now available for\nRed Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n\u0027class\u0027 parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nAll struts users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. All running applications\nusing struts must be restarted for this update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0474",
"url": "https://access.redhat.com/errata/RHSA-2014:0474"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0474.json"
}
],
"title": "Red Hat Security Advisory: struts security update",
"tracking": {
"current_release_date": "2024-11-05T18:24:36+00:00",
"generator": {
"date": "2024-11-05T18:24:36+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.1.1"
}
},
"id": "RHSA-2014:0474",
"initial_release_date": "2014-05-07T04:56:26+00:00",
"revision_history": [
{
"date": "2014-05-07T04:56:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-05-07T04:56:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-05T18:24:36+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::server"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"product": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"product_id": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64",
"product": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64",
"product_id": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"product": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"product_id": "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"product": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"product_id": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"product": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"product_id": "struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"product": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"product_id": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"product": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"product_id": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"product": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"product_id": "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"product": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"product_id": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "struts-0:1.2.9-4jpp.8.el5_10.s390x",
"product": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.s390x",
"product_id": "struts-0:1.2.9-4jpp.8.el5_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"product": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"product_id": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"product": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"product_id": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"product": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"product_id": "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"product": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"product_id": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "struts-0:1.2.9-4jpp.8.el5_10.ia64",
"product": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.ia64",
"product_id": "struts-0:1.2.9-4jpp.8.el5_10.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=ia64"
}
}
}
],
"category": "architecture",
"name": "ia64"
},
{
"branches": [
{
"category": "product_version",
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"product": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"product_id": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=i386"
}
}
},
{
"category": "product_version",
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"product": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"product_id": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=i386"
}
}
},
{
"category": "product_version",
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"product": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"product_id": "struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=i386"
}
}
},
{
"category": "product_version",
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"product": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"product_id": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=i386"
}
}
},
{
"category": "product_version",
"name": "struts-0:1.2.9-4jpp.8.el5_10.i386",
"product": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.i386",
"product_id": "struts-0:1.2.9-4jpp.8.el5_10.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=i386"
}
}
}
],
"category": "architecture",
"name": "i386"
},
{
"branches": [
{
"category": "product_version",
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"product": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"product_id": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"product": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"product_id": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"product": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"product_id": "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"product": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"product_id": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "struts-0:1.2.9-4jpp.8.el5_10.ppc",
"product": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.ppc",
"product_id": "struts-0:1.2.9-4jpp.8.el5_10.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=ppc"
}
}
}
],
"category": "architecture",
"name": "ppc"
},
{
"branches": [
{
"category": "product_version",
"name": "struts-0:1.2.9-4jpp.8.el5_10.src",
"product": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.src",
"product_id": "struts-0:1.2.9-4jpp.8.el5_10.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.i386",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.ia64",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.ppc",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.s390x",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.src",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386"
},
"product_reference": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64"
},
"product_reference": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc"
},
"product_reference": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x"
},
"product_reference": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64"
},
"product_reference": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386"
},
"product_reference": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64"
},
"product_reference": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc"
},
"product_reference": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x"
},
"product_reference": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64"
},
"product_reference": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386"
},
"product_reference": "struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64"
},
"product_reference": "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc"
},
"product_reference": "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x"
},
"product_reference": "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64"
},
"product_reference": "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386"
},
"product_reference": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64"
},
"product_reference": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc"
},
"product_reference": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x"
},
"product_reference": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64"
},
"product_reference": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64",
"relates_to_product_reference": "5Client-Workstation-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.i386",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.ia64",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.ppc",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.s390x",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.src as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.src",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64"
},
"product_reference": "struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386"
},
"product_reference": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64"
},
"product_reference": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc"
},
"product_reference": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x"
},
"product_reference": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64"
},
"product_reference": "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386"
},
"product_reference": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64"
},
"product_reference": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc"
},
"product_reference": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x"
},
"product_reference": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64"
},
"product_reference": "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386"
},
"product_reference": "struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64"
},
"product_reference": "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc"
},
"product_reference": "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x"
},
"product_reference": "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64"
},
"product_reference": "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386"
},
"product_reference": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64"
},
"product_reference": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc"
},
"product_reference": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x"
},
"product_reference": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"relates_to_product_reference": "5Server-5.10.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64"
},
"product_reference": "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64",
"relates_to_product_reference": "5Server-5.10.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0114",
"cwe": {
"id": "CWE-470",
"name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)"
},
"discovery_date": "2014-04-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1091938"
}
],
"notes": [
{
"category": "description",
"text": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "1: Class Loader manipulation via request parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0114"
},
{
"category": "external",
"summary": "RHBZ#1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0114",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0114"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114"
}
],
"release_date": "2014-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-07T04:56:26+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0474"
},
{
"category": "workaround",
"details": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua",
"product_ids": [
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src",
"5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src",
"5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x",
"5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "1: Class Loader manipulation via request parameters"
}
]
}
rhsa-2014_0511
Vulnerability from csaf_redhat
Published
2014-05-15 17:18
Modified
2024-11-05 18:25
Summary
Red Hat Security Advisory: Red Hat JBoss Operations Network 3.2.1 security update
Notes
Topic
An update for Red Hat JBoss Operations Network 3.2.1, which fixes two
security issues, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Red Hat JBoss Operations Network is a middleware management solution that
provides a single point of control to deploy, manage, and monitor JBoss
Enterprise Middleware, applications, and services.
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
It was found that when JBoss Web processed a series of HTTP requests in
which at least one request contained either multiple content-length
headers, or one content-length header with a chunked transfer-encoding
header, JBoss Web would incorrectly handle the request. A remote attacker
could use this flaw to poison a web cache, perform cross-site scripting
(XSS) attacks, or obtain sensitive information from other requests.
(CVE-2013-4286)
All users of JBoss Operations Network 3.2.1 as provided from the Red Hat
Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat JBoss Operations Network 3.2.1, which fixes two\nsecurity issues, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Operations Network is a middleware management solution that\nprovides a single point of control to deploy, manage, and monitor JBoss\nEnterprise Middleware, applications, and services.\n\nApache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n\u0027class\u0027 parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nIt was found that when JBoss Web processed a series of HTTP requests in\nwhich at least one request contained either multiple content-length\nheaders, or one content-length header with a chunked transfer-encoding\nheader, JBoss Web would incorrectly handle the request. A remote attacker\ncould use this flaw to poison a web cache, perform cross-site scripting\n(XSS) attacks, or obtain sensitive information from other requests.\n(CVE-2013-4286)\n\nAll users of JBoss Operations Network 3.2.1 as provided from the Red Hat\nCustomer Portal are advised to apply this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0511",
"url": "https://access.redhat.com/errata/RHSA-2014:0511"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=em\u0026version=3.2.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=em\u0026version=3.2.0"
},
{
"category": "external",
"summary": "1069921",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1069921"
},
{
"category": "external",
"summary": "1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0511.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Operations Network 3.2.1 security update",
"tracking": {
"current_release_date": "2024-11-05T18:25:33+00:00",
"generator": {
"date": "2024-11-05T18:25:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.1.1"
}
},
"id": "RHSA-2014:0511",
"initial_release_date": "2014-05-15T17:18:12+00:00",
"revision_history": [
{
"date": "2014-05-15T17:18:12+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:33:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-05T18:25:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Operations Network 3.2",
"product": {
"name": "Red Hat JBoss Operations Network 3.2",
"product_id": "Red Hat JBoss Operations Network 3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_operations_network:3.2.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Operations Network"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-4286",
"discovery_date": "2014-02-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1069921"
}
],
"notes": [
{
"category": "description",
"text": "It was found that when Tomcat / JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat / JBoss Web would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: multiple content-length header poisoning flaws",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Operations Network 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-4286"
},
{
"category": "external",
"summary": "RHBZ#1069921",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1069921"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-4286",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4286"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4286",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4286"
}
],
"release_date": "2014-02-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-15T17:18:12+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the \"Manual Instructions\" section of the release description,\navailable from the Customer Portal for this update, for installation\ninformation.",
"product_ids": [
"Red Hat JBoss Operations Network 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0511"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Operations Network 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tomcat: multiple content-length header poisoning flaws"
},
{
"cve": "CVE-2014-0114",
"cwe": {
"id": "CWE-470",
"name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)"
},
"discovery_date": "2014-04-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1091938"
}
],
"notes": [
{
"category": "description",
"text": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "1: Class Loader manipulation via request parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Operations Network 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0114"
},
{
"category": "external",
"summary": "RHBZ#1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0114",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0114"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114"
}
],
"release_date": "2014-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-15T17:18:12+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the \"Manual Instructions\" section of the release description,\navailable from the Customer Portal for this update, for installation\ninformation.",
"product_ids": [
"Red Hat JBoss Operations Network 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0511"
},
{
"category": "workaround",
"details": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua",
"product_ids": [
"Red Hat JBoss Operations Network 3.2"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Operations Network 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "1: Class Loader manipulation via request parameters"
}
]
}
rhsa-2014_0497
Vulnerability from csaf_redhat
Published
2014-05-14 18:06
Modified
2024-11-05 18:25
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 security update
Notes
Topic
Red Hat JBoss Fuse 6.1.0 Patch 1, a security update that addresses one
security issue, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method.
A remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Red Hat JBoss Fuse 6.1.0 as provided from the Red Hat Customer
Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Fuse 6.1.0 Patch 1, a security update that addresses one\nsecurity issue, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n\u0027class\u0027 parameter, which is directly mapped to the getClass() method.\nA remote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Red Hat JBoss Fuse 6.1.0 as provided from the Red Hat Customer\nPortal are advised to apply this security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0497",
"url": "https://access.redhat.com/errata/RHSA-2014:0497"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.1.0"
},
{
"category": "external",
"summary": "1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0497.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 security update",
"tracking": {
"current_release_date": "2024-11-05T18:25:19+00:00",
"generator": {
"date": "2024-11-05T18:25:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.1.1"
}
},
"id": "RHSA-2014:0497",
"initial_release_date": "2014-05-14T18:06:57+00:00",
"revision_history": [
{
"date": "2014-05-14T18:06:57+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:31:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-05T18:25:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Fuse 6.1",
"product": {
"name": "Red Hat JBoss Fuse 6.1",
"product_id": "Red Hat JBoss Fuse 6.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:6.1.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0114",
"cwe": {
"id": "CWE-470",
"name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)"
},
"discovery_date": "2014-04-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1091938"
}
],
"notes": [
{
"category": "description",
"text": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "1: Class Loader manipulation via request parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0114"
},
{
"category": "external",
"summary": "RHBZ#1091938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0114",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0114"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114"
}
],
"release_date": "2014-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-14T18:06:57+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0497"
},
{
"category": "workaround",
"details": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "1: Class Loader manipulation via request parameters"
}
]
}
var-201404-0288
Vulnerability from variot
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. An information management system for hospitals that can manage data such as financial management, clinical practice, and pharmacies. OpenClinic GA There are multiple vulnerabilities in. OpenClinic GA The following vulnerabilities exist in. * Avoid authentication via another path or channel (CWE-288) - CVE-2020-14485 Inappropriate restriction of excessive authentication attempts (CWE-307) - CVE-2020-14484 Improper authentication (CWE-287) - CVE-2020-14494 Lack of certification (CWE-862) - CVE-2020-14491 Execution with unnecessary privileges (CWE-250) - CVE-2020-14493 Unlimited upload of dangerous types of files (CWE-434) - CVE-2020-14488 Path traversal (CWE-22) - CVE-2020-14490 Inappropriate authorization process (CWE-285) - CVE-2020-14486 Cross-site scripting (CWE-79) - CVE-2020-14492 Use of unmaintained third-party products (CWE-1104) - CVE-2020-14495 , CVE-2016-1181 , CVE-2016-1182 Due to * Inadequate protection of credentials (CWE-522) - CVE-2020-14489 Hidden features (CWE-912) - CVE-2020-14487 * However, this vulnerability is Version 5.89.05b Does not affectThe expected impact depends on each vulnerability, but it may be affected as follows. * A remote attacker initiates a session by bypassing client-side access control or sending a specially crafted request. SQL Performs administrator functions such as query execution - CVE-2020-14485 A remote attacker bypasses the system's account lock feature and brute force attacks ( Brute force attack ) Is executed - CVE-2020-14484 In this system, brute force attack ( Brute force attack ) Insufficient protection mechanism allows an unauthenticated attacker to access the system with more than the maximum number of attempts. - CVE-2020-14494 The system SQL Since it does not check the execution permission of the query, a user with lower permission can access information that requires higher permission. - CVE-2020-14491 In this system, with relatively low authority SQL It is possible to write any file by executing, and as a result, any command is executed on the system. - CVE-2020-14493 The system does not properly validate uploaded files, so a low-privileged attacker uploads and executes arbitrary files on the system. - CVE-2020-14488 Executing a file that contains any local file specified by a parameter exposes sensitive information or executes an uploaded malicious file. - CVE-2020-14490 By avoiding the redirect process that is executed when authentication fails, an unauthenticated attacker can execute a command illegally. - CVE-2020-14486 Malicious code is executed on the user's browser because the user's input value is not properly validated. - CVE-2020-14492 Known vulnerabilities in end-of-support third-party software used by the system (CVE-2014-0114 , CVE-2016-1181 , CVE-2016-1182) Malicious code executed by a remote attacker due to * There is a flaw in the hashing process when saving the password, and the password is stolen by a dictionary attack. - CVE-2020-14489 A user account set by default exists in the system in an accessible state, and an attacker can use that account to execute arbitrary commands. - CVE-2020-14487. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Important: Fuse ESB Enterprise 7.1.0 security update Advisory ID: RHSA-2014:0498-01 Product: Fuse Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0498.html Issue date: 2014-05-14 CVE Names: CVE-2014-0114 =====================================================================
- Summary:
Fuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security update that addresses one security issue, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
- Description:
Fuse ESB Enterprise is an integration platform based on Apache ServiceMix. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. (CVE-2014-0114)
Refer to the readme.txt file included with the patch files for installation instructions.
All users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat Customer Portal are advised to apply this security update.
- Solution:
The References section of this erratum contains a download link (you must log in to download the update).
- Bugs fixed (https://bugzilla.redhat.com/):
1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters
- References:
https://www.redhat.com/security/data/cve/CVE-2014-0114.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFTc7htXlSAg2UNWIIRAtEjAJ42Q72A3+z4BA2MCJI8i0qyTvdSrgCeJitA e2zBKDmixb/nax84cDhcYLo= =d5S2 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324755
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c05324755 Version: 1
HPSBGN03669 rev.1 - HPE SiteScope, Local Elevation of Privilege, Remote Denial of Service, Arbitrary Code Execution and Cross-Site Request Forgery
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2016-11-04 Last Updated: 2016-11-04
Potential Security Impact: Local: Elevation of Privilege; Remote: Arbitrary Code Execution, Cross-Site Request Forgery (CSRF), Denial of Service (DoS)
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY Potential vulnerabilities have been identified in HPE SiteScope. The vulnerabilities could be exploited to allow local elevation of privilege and exploited remotely to allow denial of service, arbitrary code execution, cross-site request forgery.
References:
- CVE-2014-0114 - Apache Struts, execution of arbitrary code
- CVE-2016-0763 - Apache Tomcat, denial of service (DoS)
- CVE-2014-0107 - Apache XML Xalan, bypass expected restrictions
- CVE-2015-3253 - Apache Groovy, execution of arbitrary code
- CVE-2015-5652 - Python, elevation of privilege
- CVE-2013-6429 - Spring Framework, cross-site request forgery
- CVE-2014-0050 - Apache Commons FileUpload, denial of service (DoS)
- PSRT110264
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- HP SiteScope Monitors Software Series 11.2xa11.32IP1
BACKGROUND
CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector
CVE-2013-6429
6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2014-0050
8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2014-0107
8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2014-0114
6.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-3253
7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-5652
8.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVE-2016-0763
6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499
RESOLUTION
HPE has provided a resolution via an update to HPE SiteScope. Details on the update and each vulnerability are in the KM articles below.
Note: The resolution for each vulnerability listed is to upgrade to SiteScope 11.32IP2 or an even more recent version of SiteScope if available. The SiteScope update can be can found in the personal zone in "my updates" in HPE Software Support Online: https://softwaresupport.hpe.com.
-
Apache Commons FileUpload: KM02550251 (CVE-2014-0050):
-
Apache Struts: KM02553983 (CVE-2014-0114):
-
Apache Tomcat: KM02553990 (CVE-2016-0763):
-
Apache XML Xalan: KM02553991 (CVE-2014-0107):
-
Apache Groovy: KM02553992 (CVE-2015-3253):
-
Python: KM02553997 (CVE-2015-5652):
-
Spring Framework: KM02553998 (CVE-2013-6429):
HISTORY Version:1 (rev.1) - 4 November 2016 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
References: CVE-2014-0114, SSRT101566
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Mitigation information for the Apache Struts vulnerability (CVE-2014-0114) is available at the following location:
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-a pplications/ba-p/6463188#.U2J7xeaSxro
Japanese information is available at the following location:
http://www.hp.com/jp/icewall_patchaccess
Note: The HP IceWall product is only available in Japan. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201404-0288",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.2.4"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.2.8"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.0"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.2.7"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.3.5"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.0.2"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.2.2"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.2.6"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.2.9"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.3.8"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.3.10"
},
{
"model": "commons beanutils",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "1.9.1"
},
{
"model": "struts",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "1.1"
},
{
"model": "openclinic ga",
"scope": "eq",
"trust": 0.8,
"vendor": "openclinic ga",
"version": null
},
{
"model": "openclinic ga",
"scope": "eq",
"trust": 0.8,
"vendor": "openclinic ga",
"version": "version 5.09.02"
},
{
"model": "openclinic ga",
"scope": "eq",
"trust": 0.8,
"vendor": "openclinic ga",
"version": "version 5.89.05b"
},
{
"model": "struts",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": "1.x to 1.3.10"
},
{
"model": "\u30af\u30e9\u30a6\u30c9 \u30a4\u30f3\u30d5\u30e9 \u30de\u30cd\u30fc\u30b8\u30e1\u30f3\u30c8 \u30bd\u30d5\u30c8\u30a6\u30a7\u30a2",
"scope": null,
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "fujitsu integrated system ha database ready",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "business analytics modeling server"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "business process manager analytics"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "mobile manager"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "extreme transaction processing server"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "navigator explorer server"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "application development cycle manager"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "application framework suite"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "application server"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "apworks"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "business application server"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "job workload server"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "service integrator"
},
{
"model": "interstage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "studio"
},
{
"model": "interstage application development cycle manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "interstage application framework suite",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "interstage application server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "interstage apworks",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "interstage business application server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "interstage job workload server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "interstage service integrator",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "interstage studio",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "serverview",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "resource orchestrator"
},
{
"model": "symfoware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "analytics server"
},
{
"model": "symfoware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "server"
},
{
"model": "systemwalker service catalog manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "systemwalker service quality coordinator",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "systemwalker software configuration manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": null
},
{
"model": "triole",
"scope": "eq",
"trust": 0.8,
"vendor": "\u5bcc\u58eb\u901a",
"version": "cloud middle set b set"
},
{
"model": "hitachi device manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": "software"
},
{
"model": "hitachi global link manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": "software"
},
{
"model": "job management partner 1/performance management - web console",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "jp1/performance management",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": "- manager web option"
},
{
"model": "jp1/performance management",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": "- web console"
},
{
"model": "hitachi replication manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": "software"
},
{
"model": "hitachi tiered storage manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": "software"
},
{
"model": "hitachi tuning manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": "software"
},
{
"model": "hp device manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30d2\u30e5\u30fc\u30ec\u30c3\u30c8 \u30d1\u30c3\u30ab\u30fc\u30c9",
"version": null
},
{
"model": "hp xp7",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30d2\u30e5\u30fc\u30ec\u30c3\u30c8 \u30d1\u30c3\u30ab\u30fc\u30c9",
"version": "global link manager software"
},
{
"model": "hp xp p9000",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30d2\u30e5\u30fc\u30ec\u30c3\u30c8 \u30d1\u30c3\u30ab\u30fc\u30c9",
"version": "replication manager"
},
{
"model": "hp xp p9000",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30d2\u30e5\u30fc\u30ec\u30c3\u30c8 \u30d1\u30c3\u30ab\u30fc\u30c9",
"version": "tiered storage manager"
},
{
"model": "connections",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "5.0"
},
{
"model": "connections",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "4.5"
},
{
"model": "connections",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "4.0"
},
{
"model": "connections",
"scope": "lte",
"trust": 0.8,
"vendor": "ibm",
"version": "3.0.1.1"
},
{
"model": "content collector",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "2.2"
},
{
"model": "lotus expeditor",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.1.x"
},
{
"model": "lotus expeditor",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.2.x"
},
{
"model": "lotus mashups",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "2.0.0.2"
},
{
"model": "lotus mashups",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "3.0.0.1"
},
{
"model": "lotus quickr",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "8.5 for websphere portal"
},
{
"model": "rational change",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "5.2"
},
{
"model": "rational change",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "5.3"
},
{
"model": "rational change",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "5.3.1"
},
{
"model": "websphere portal",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "8.5"
},
{
"model": "websphere portal",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "8.0"
},
{
"model": "websphere portal",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "7"
},
{
"model": "websphere portal",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.1.x"
},
{
"model": "esmpro/servermanager",
"scope": "lte",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "ver5.75"
},
{
"model": "infocage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "pc security"
},
{
"model": "infocage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "security risk management v1.0.0 to v1.0.6"
},
{
"model": "infocage",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "security risk management v1.0.0 to v2.1.3"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "enterprise edition v5.1 to v5.2"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "enterprise edition v6.1 to v6.5"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "rfid manager enterprise v7.1"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "rfid manager lite v2.0"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "rfid manager standard v2.0"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "standard edition v5.1 to v5.2"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "standard edition v6.1 to v6.5"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "standard-j edition v5.1 to v5.2"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "standard-j edition v6.1 to v6.5"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "web edition v5.1 to v5.2"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "web edition v6.1 to v6.5"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "application server v7.1"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "developer v8.2 to v8.4 (with developer\u0027s studio only )"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "developer v9.1 to v9.2 (with developer\u0027s studio only )"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "portal v8.3 to v8.4"
},
{
"model": "webotx",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "portal v9.1"
},
{
"model": "webotx application server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "v7.1"
},
{
"model": "webotx developer",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "v8.2 to v8.4 (with developer\u0027s studio only )"
},
{
"model": "webotx developer",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "v9.1 to v9.2 (with developer\u0027s studio only )"
},
{
"model": "webotx portal",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "v8.3 to v8.4"
},
{
"model": "webotx portal",
"scope": "eq",
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": "v9.1"
},
{
"model": "terasoluna server framework for java",
"scope": "lte",
"trust": 0.8,
"vendor": "\u682a\u5f0f\u4f1a\u793e\u30a8\u30cc \u30c6\u30a3 \u30c6\u30a3 \u30c7\u30fc\u30bf",
"version": "2.0.0.1 from 2.0.5.1"
},
{
"model": "oracle communications applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of metasolv solution 6.2.1.0.0"
},
{
"model": "oracle communications applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of metasolv solution asr: 49.0.0"
},
{
"model": "oracle communications applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of metasolv solution lsr: 10.1.0"
},
{
"model": "oracle communications applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of metasolv solution lsr: 9.4.0"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle adaptive access manager 11.1.1.5"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle adaptive access manager 11.1.1.7"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle adaptive access manager 11.1.2.1"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle adaptive access manager 11.1.2.2"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle enterprise data quality 8.1.2"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle enterprise data quality 9.0.11"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle jdeveloper 10.1.3.5"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle jdeveloper 11.1.1.7"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle jdeveloper 11.1.2.4"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle jdeveloper 12.1.2.0"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle jdeveloper 12.1.3.0"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle waveset 8.1.1"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle weblogic portal 10.0.1.0"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle weblogic portal 10.2.1.0"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle weblogic portal 10.3.6.0"
},
{
"model": "oracle fusion middleware",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of oracle real-time decision server 11.1.1.7 (rtd platform 3.0.x)"
},
{
"model": "oracle identity manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "11.1.1.5"
},
{
"model": "oracle identity manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "11.1.1.7"
},
{
"model": "oracle identity manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "11.1.2.1"
},
{
"model": "oracle identity manager",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "11.1.2.2"
},
{
"model": "oracle primavera products suite",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of primavera contract management 13.1"
},
{
"model": "oracle primavera products suite",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of primavera contract management 14.0"
},
{
"model": "oracle primavera products suite",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of primavera p6 enterprise project portfolio management 7.0"
},
{
"model": "oracle primavera products suite",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of primavera p6 enterprise project portfolio management 8.0"
},
{
"model": "oracle primavera products suite",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of primavera p6 enterprise project portfolio management 8.1"
},
{
"model": "oracle primavera products suite",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of primavera p6 enterprise project portfolio management 8.2"
},
{
"model": "oracle primavera products suite",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of primavera p6 enterprise project portfolio management 8.3"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of allocation 10.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of allocation 11.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of allocation 12.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of allocation 13.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of allocation 13.1"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of allocation 13.2"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of back office 12.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of back office 12.0.9in"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of back office 13.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of back office 13.1"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of back office 13.2"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of back office 13.3"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of back office 13.4"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of back office 14.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of back office 8.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of central office 12.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of central office 12.0.9in"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of central office 13.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of central office 13.1"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of central office 13.2"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of central office 13.3"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of central office 13.4"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of central office 14.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of central office 8.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of clearance optimization engine 13.3"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of clearance optimization engine 13.4"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of clearance optimization engine 14.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of invoice matching 11.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of invoice matching 12.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of invoice matching 12.0 in"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of invoice matching 12.1"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of invoice matching 13.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of invoice matching 13.1"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of invoice matching 13.2"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of invoice matching 14.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of markdown optimization 12.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of markdown optimization 13.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of markdown optimization 13.1"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of markdown optimization 13.2"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of markdown optimization 13.4"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of returns management 13.1"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of returns management 13.2"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of returns management 13.3"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of returns management 13.4"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of returns management 14.0"
},
{
"model": "oracle retail applications",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "of returns management 2.0"
},
{
"model": "oracle weblogic server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "10.0.2.0"
},
{
"model": "oracle weblogic server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "10.3.6.0"
},
{
"model": "oracle weblogic server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "12.1.1.0"
},
{
"model": "oracle weblogic server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "12.1.2.0"
},
{
"model": "oracle weblogic server",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30aa\u30e9\u30af\u30eb",
"version": "12.1.3.0"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-006468"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002308"
},
{
"db": "NVD",
"id": "CVE-2014-0114"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.9.1",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2014-0114"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "HP",
"sources": [
{
"db": "PACKETSTORM",
"id": "127868"
},
{
"db": "PACKETSTORM",
"id": "128873"
},
{
"db": "PACKETSTORM",
"id": "139721"
},
{
"db": "PACKETSTORM",
"id": "126811"
}
],
"trust": 0.4
},
"cve": "CVE-2014-0114",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2014-0114",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "IPA",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-006468",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2014-0114",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "IPA",
"id": "JVNDB-2020-006468",
"trust": 0.8,
"value": "Critical"
},
{
"author": "VULMON",
"id": "CVE-2014-0114",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2014-0114"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006468"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002308"
},
{
"db": "NVD",
"id": "CVE-2014-0114"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. An information management system for hospitals that can manage data such as financial management, clinical practice, and pharmacies. OpenClinic GA There are multiple vulnerabilities in. OpenClinic GA The following vulnerabilities exist in. * Avoid authentication via another path or channel (CWE-288) - CVE-2020-14485* Inappropriate restriction of excessive authentication attempts (CWE-307) - CVE-2020-14484* Improper authentication (CWE-287) - CVE-2020-14494* Lack of certification (CWE-862) - CVE-2020-14491* Execution with unnecessary privileges (CWE-250) - CVE-2020-14493* Unlimited upload of dangerous types of files (CWE-434) - CVE-2020-14488* Path traversal (CWE-22) - CVE-2020-14490* Inappropriate authorization process (CWE-285) - CVE-2020-14486* Cross-site scripting (CWE-79) - CVE-2020-14492* Use of unmaintained third-party products (CWE-1104) - CVE-2020-14495 , CVE-2016-1181 , CVE-2016-1182 Due to * Inadequate protection of credentials (CWE-522) - CVE-2020-14489* Hidden features (CWE-912) - CVE-2020-14487 * However, this vulnerability is Version 5.89.05b Does not affectThe expected impact depends on each vulnerability, but it may be affected as follows. * A remote attacker initiates a session by bypassing client-side access control or sending a specially crafted request. SQL Performs administrator functions such as query execution - CVE-2020-14485* A remote attacker bypasses the system\u0027s account lock feature and brute force attacks ( Brute force attack ) Is executed - CVE-2020-14484* In this system, brute force attack ( Brute force attack ) Insufficient protection mechanism allows an unauthenticated attacker to access the system with more than the maximum number of attempts. - CVE-2020-14494* The system SQL Since it does not check the execution permission of the query, a user with lower permission can access information that requires higher permission. - CVE-2020-14491* In this system, with relatively low authority SQL It is possible to write any file by executing, and as a result, any command is executed on the system. - CVE-2020-14493* The system does not properly validate uploaded files, so a low-privileged attacker uploads and executes arbitrary files on the system. - CVE-2020-14488* Executing a file that contains any local file specified by a parameter exposes sensitive information or executes an uploaded malicious file. - CVE-2020-14490* By avoiding the redirect process that is executed when authentication fails, an unauthenticated attacker can execute a command illegally. - CVE-2020-14486* Malicious code is executed on the user\u0027s browser because the user\u0027s input value is not properly validated. - CVE-2020-14492* Known vulnerabilities in end-of-support third-party software used by the system (CVE-2014-0114 , CVE-2016-1181 , CVE-2016-1182) Malicious code executed by a remote attacker due to * There is a flaw in the hashing process when saving the password, and the password is stolen by a dictionary attack. - CVE-2020-14489* A user account set by default exists in the system in an accessible state, and an attacker can use that account to execute arbitrary commands. - CVE-2020-14487. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: Fuse ESB Enterprise 7.1.0 security update\nAdvisory ID: RHSA-2014:0498-01\nProduct: Fuse Enterprise Middleware\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2014-0498.html\nIssue date: 2014-05-14\nCVE Names: CVE-2014-0114 \n=====================================================================\n\n1. Summary:\n\nFuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security\nupdate that addresses one security issue, is now available from the Red Hat\nCustomer Portal. \n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section. \n\n2. Description:\n\nFuse ESB Enterprise is an integration platform based on Apache ServiceMix. \nA remote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions. \n\nAll users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat\nCustomer Portal are advised to apply this security update. \n\n3. Solution:\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters\n\n5. References:\n\nhttps://www.redhat.com/security/data/cve/CVE-2014-0114.html\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2014 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.4 (GNU/Linux)\n\niD8DBQFTc7htXlSAg2UNWIIRAtEjAJ42Q72A3+z4BA2MCJI8i0qyTvdSrgCeJitA\ne2zBKDmixb/nax84cDhcYLo=\n=d5S2\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nNote: the current version of the following document is available here:\nhttps://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324755\n\nSUPPORT COMMUNICATION - SECURITY BULLETIN\n\nDocument ID: c05324755\nVersion: 1\n\nHPSBGN03669 rev.1 - HPE SiteScope, Local Elevation of Privilege, Remote\nDenial of Service, Arbitrary Code Execution and Cross-Site Request Forgery\n\nNOTICE: The information in this Security Bulletin should be acted upon as\nsoon as possible. \n\nRelease Date: 2016-11-04\nLast Updated: 2016-11-04\n\nPotential Security Impact: Local: Elevation of Privilege; Remote: Arbitrary\nCode Execution, Cross-Site Request Forgery (CSRF), Denial of Service (DoS)\n\nSource: Hewlett Packard Enterprise, Product Security Response Team\n\nVULNERABILITY SUMMARY\nPotential vulnerabilities have been identified in HPE SiteScope. The\nvulnerabilities could be exploited to allow local elevation of privilege and\nexploited remotely to allow denial of service, arbitrary code execution,\ncross-site request forgery. \n\nReferences:\n\n - CVE-2014-0114 - Apache Struts, execution of arbitrary code\n - CVE-2016-0763 - Apache Tomcat, denial of service (DoS)\n - CVE-2014-0107 - Apache XML Xalan, bypass expected restrictions \n - CVE-2015-3253 - Apache Groovy, execution of arbitrary code \n - CVE-2015-5652 - Python, elevation of privilege\n - CVE-2013-6429 - Spring Framework, cross-site request forgery\n - CVE-2014-0050 - Apache Commons FileUpload, denial of service (DoS)\n - PSRT110264\n\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. \n\n - HP SiteScope Monitors Software Series 11.2xa11.32IP1\n\nBACKGROUND\n\n CVSS Base Metrics\n =================\n Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector\n\n CVE-2013-6429\n 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L\n 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)\n\n CVE-2014-0050\n 8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\n 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n CVE-2014-0107\n 8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\n 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n CVE-2014-0114\n 6.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\n 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n CVE-2015-3253\n 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L\n 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n CVE-2015-5652\n 8.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\n 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)\n\n CVE-2016-0763\n 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L\n 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\n\n Information on CVSS is documented in\n HPE Customer Notice HPSN-2008-002 here:\n\nhttps://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499\n\nRESOLUTION\n\nHPE has provided a resolution via an update to HPE SiteScope. Details on the\nupdate and each vulnerability are in the KM articles below. \n\n **Note:** The resolution for each vulnerability listed is to upgrade to\nSiteScope 11.32IP2 or an even more recent version of SiteScope if available. \nThe SiteScope update can be can found in the personal zone in \"my updates\" in\nHPE Software Support Online: \u003chttps://softwaresupport.hpe.com\u003e. \n\n\n * Apache Commons FileUpload: KM02550251 (CVE-2014-0050): \n\n +\n\u003chttps://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02550251\u003e\n\n\n * Apache Struts: KM02553983 (CVE-2014-0114):\n\n +\n\u003chttps://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553983\u003e\n\n\n * Apache Tomcat: KM02553990 (CVE-2016-0763):\n\n +\n\u003chttps://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553990\u003e\n\n * Apache XML Xalan: KM02553991 (CVE-2014-0107):\n\n +\n\u003chttps://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553991\u003e\n\n * Apache Groovy: KM02553992 (CVE-2015-3253):\n\n +\n\u003chttps://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553992\u003e\n\n * Python: KM02553997 (CVE-2015-5652):\n\n *\n\u003chttps://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553997\u003e\n\n * Spring Framework: KM02553998 (CVE-2013-6429):\n\n +\n\u003chttps://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553998\u003e\n\nHISTORY\nVersion:1 (rev.1) - 4 November 2016 Initial release\n\nThird Party Security Patches: Third party security patches that are to be\ninstalled on systems running Hewlett Packard Enterprise (HPE) software\nproducts should be applied in accordance with the customer\u0027s patch management\npolicy. \n\nSupport: For issues about implementing the recommendations of this Security\nBulletin, contact normal HPE Services support channel. For other issues about\nthe content of this Security Bulletin, send e-mail to security-alert@hpe.com. \n\nReport: To report a potential security vulnerability for any HPE supported\nproduct:\n Web form: https://www.hpe.com/info/report-security-vulnerability\n Email: security-alert@hpe.com\n\nSubscribe: To initiate a subscription to receive future HPE Security Bulletin\nalerts via Email: http://www.hpe.com/support/Subscriber_Choice\n\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\navailable here: http://www.hpe.com/support/Security_Bulletin_Archive\n\nSoftware Product Category: The Software Product Category is represented in\nthe title by the two characters following HPSB. \n\n3C = 3COM\n3P = 3rd Party Software\nGN = HPE General Software\nHF = HPE Hardware and Firmware\nMU = Multi-Platform Software\nNS = NonStop Servers\nOV = OpenVMS\nPV = ProCurve\nST = Storage Software\nUX = HP-UX\n\nCopyright 2016 Hewlett Packard Enterprise\n\nHewlett Packard Enterprise shall not be liable for technical or editorial\nerrors or omissions contained herein. The information provided is provided\n\"as is\" without warranty of any kind. To the extent permitted by law, neither\nHP or its affiliates, subcontractors or suppliers will be liable for\nincidental,special or consequential damages including downtime cost; lost\nprofits; damages relating to the procurement of substitute products or\nservices; or damages for loss of data, or software restoration. The\ninformation in this document is subject to change without notice. Hewlett\nPackard Enterprise and the names of Hewlett Packard Enterprise products\nreferenced herein are trademarks of Hewlett Packard Enterprise in the United\nStates and other countries. Other product and company names mentioned herein\nmay be trademarks of their respective owners. \n\nReferences: CVE-2014-0114, SSRT101566\n\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. \n\nMitigation information for the Apache Struts vulnerability (CVE-2014-0114) is\navailable at the following location:\n\nhttp://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-a\npplications/ba-p/6463188#.U2J7xeaSxro\n\nJapanese information is available at the following location:\n\nhttp://www.hp.com/jp/icewall_patchaccess\n\nNote: The HP IceWall product is only available in Japan. \nHewlett-Packard Company shall not be liable for technical or editorial errors\nor omissions contained herein",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-0114"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006468"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002308"
},
{
"db": "VULMON",
"id": "CVE-2014-0114"
},
{
"db": "PACKETSTORM",
"id": "126619"
},
{
"db": "PACKETSTORM",
"id": "127868"
},
{
"db": "PACKETSTORM",
"id": "128873"
},
{
"db": "PACKETSTORM",
"id": "139721"
},
{
"db": "PACKETSTORM",
"id": "126811"
}
],
"trust": 2.88
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=41690",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2014-0114"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-0114",
"trust": 3.2
},
{
"db": "ICS CERT",
"id": "ICSMA-20-184-01",
"trust": 1.6
},
{
"db": "SECUNIA",
"id": "59430",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "60177",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "59246",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "59118",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "59464",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "59704",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "58710",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "59718",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "59228",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "57477",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "58947",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "60703",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "58851",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "59245",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "59014",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "59479",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "59480",
"trust": 1.0
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2014/07/08/1",
"trust": 1.0
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2014/06/15/10",
"trust": 1.0
},
{
"db": "BID",
"id": "67121",
"trust": 1.0
},
{
"db": "JVN",
"id": "JVNVU96290700",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006468",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2014-000056",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002308",
"trust": 0.8
},
{
"db": "VULMON",
"id": "CVE-2014-0114",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "126619",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "127868",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "128873",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "139721",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "126811",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2014-0114"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006468"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002308"
},
{
"db": "PACKETSTORM",
"id": "126619"
},
{
"db": "PACKETSTORM",
"id": "127868"
},
{
"db": "PACKETSTORM",
"id": "128873"
},
{
"db": "PACKETSTORM",
"id": "139721"
},
{
"db": "PACKETSTORM",
"id": "126811"
},
{
"db": "NVD",
"id": "CVE-2014-0114"
}
]
},
"id": "VAR-201404-0288",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.20729166999999998
},
"last_update_date": "2024-07-23T19:41:23.375000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "OpenClinic\u00a0GA",
"trust": 0.8,
"url": "https://sourceforge.net/projects/open-clinic/"
},
{
"title": "Interstage\u00a0Navigator\u00a0Explorer\u00a0Server",
"trust": 0.8,
"url": "https://issues.apache.org/jira/browse/beanutils-463"
},
{
"title": "Red Hat: Important: Red Hat A-MQ Broker 7.5 release and security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20192995 - security advisory"
},
{
"title": "Debian CVElist Bug Report Logs: libstruts1.2-java: CVE-2014-0114",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=96f4091aa31a0ece729fdcb110066df5"
},
{
"title": "Red Hat: CVE-2014-0114",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=cve-2014-0114"
},
{
"title": "Red Hat: Important: Fuse 7.1 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20182669 - security advisory"
},
{
"title": "IBM: IBM Security Bulletin: Multiple Security Vulnerabilities have been fixed in IBM Security Privileged Identity Manager Appliance.",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=f5bb2b180c7c77e5a02747a1f31830d9"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - January 2019",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=f655264a6935505d167bbf45f409a57b"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - October 2018",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=81c63752a6f26433af2128b2e8c02385"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - January 2018",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=e2a7f287e9acc8c64ab3df71130bc64d"
},
{
"title": "IBM: IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=55ea315dfb69fce8383762ac64250315"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - April 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=143b3fb255063c81571469eaa3cf0a87"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - October 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=523d3f220a64ff01dd95e064bd37566a"
},
{
"title": "IBM: Security Bulletin: Netcool Operations Insight v1.6.6 contains fixes for multiple security vulnerabilities.",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=68c6989b84f14aaac220c13b754c7702"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - January 2015",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=4a692d6d60aa31507cb101702b494c51"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - October 2016",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=05aabe19d38058b7814ef5514aab4c0c"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - July 2018",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=5f8c525f1408011628af1792207b2099"
},
{
"title": "struts1-patch",
"trust": 0.1,
"url": "https://github.com/ricedu/struts1-patch "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/weblegacy/struts1 "
},
{
"title": "struts1filter",
"trust": 0.1,
"url": "https://github.com/rgielen/struts1filter "
},
{
"title": "StrutsExample",
"trust": 0.1,
"url": "https://github.com/vikasvns2000/strutsexample "
},
{
"title": "struts-mini",
"trust": 0.1,
"url": "https://github.com/bingcai/struts-mini "
},
{
"title": "strutt-cve-2014-0114",
"trust": 0.1,
"url": "https://github.com/anob3it/strutt-cve-2014-0114 "
},
{
"title": "super-pom",
"trust": 0.1,
"url": "https://github.com/ian4hu/super-pom "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2014-0114"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006468"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002308"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.0
},
{
"problemtype": "Use of unmaintained third-party components (CWE-1104) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Path traversal (CWE-22) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Execution with unnecessary privileges (CWE-250) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Inappropriate authorization (CWE-285) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Improper authentication (CWE-287) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Authentication bypass using alternate path or channel (CWE-288) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Inappropriate restriction of excessive authentication attempts (CWE-307) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Unlimited upload of dangerous types of files (CWE-434) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Inadequate protection of credentials (CWE-522) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Cross-site scripting (CWE-79) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Lack of certification (CWE-862) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Private features (CWE-912) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": "Incorrect input confirmation (CWE-20) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-006468"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002308"
},
{
"db": "NVD",
"id": "CVE-2014-0114"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.0,
"url": "http://advisories.mageia.org/mgasa-2014-0219.html"
},
{
"trust": 1.0,
"url": "http://apache-ignite-developers.2346864.n4.nabble.com/cve-2014-0114-apache-ignite-is-vulnerable-to-existing-cve-2014-0114-td31205.html"
},
{
"trust": 1.0,
"url": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/release-notes.txt"
},
{
"trust": 1.0,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-august/136958.html"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=140119284401582\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=140801096002766\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=141451023707502\u0026w=2"
},
{
"trust": 1.0,
"url": "http://openwall.com/lists/oss-security/2014/06/15/10"
},
{
"trust": 1.0,
"url": "http://openwall.com/lists/oss-security/2014/07/08/1"
},
{
"trust": 1.0,
"url": "http://seclists.org/fulldisclosure/2014/dec/23"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/57477"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/58710"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/58851"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/58947"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59014"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59118"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59228"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59245"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59246"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59430"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59464"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59479"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59480"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59704"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/59718"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/60177"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/60703"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110"
},
{
"trust": 1.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296"
},
{
"trust": 1.0,
"url": "http://www.debian.org/security/2014/dsa-2940"
},
{
"trust": 1.0,
"url": "http://www.ibm.com/support/docview.wss?uid=swg21675496"
},
{
"trust": 1.0,
"url": "http://www.mandriva.com/security/advisories?name=mdvsa-2014:095"
},
{
"trust": 1.0,
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"trust": 1.0,
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"trust": 1.0,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"trust": 1.0,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"trust": 1.0,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"trust": 1.0,
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
},
{
"trust": 1.0,
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"trust": 1.0,
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/bid/67121"
},
{
"trust": 1.0,
"url": "http://www.vmware.com/security/advisories/vmsa-2014-0008.html"
},
{
"trust": 1.0,
"url": "http://www.vmware.com/security/advisories/vmsa-2014-0012.html"
},
{
"trust": 1.0,
"url": "https://access.redhat.com/errata/rhsa-2018:2669"
},
{
"trust": 1.0,
"url": "https://access.redhat.com/errata/rhsa-2019:2995"
},
{
"trust": 1.0,
"url": "https://access.redhat.com/solutions/869353"
},
{
"trust": 1.0,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"trust": 1.0,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665"
},
{
"trust": 1.0,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05324755"
},
{
"trust": 1.0,
"url": "https://issues.apache.org/jira/browse/beanutils-463"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3cdev.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3cuser.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3cissues.activemq.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3ccommits.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3ccommits.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3cdevnull.infra.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3cissues.activemq.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3cdev.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3cdev.drill.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3csolr-user.lucene.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3cdev.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3cannounce.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3ccommits.druid.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3cdev.drill.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3ccommits.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3ccommits.pulsar.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3cgitbox.activemq.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3cdev.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3cnotifications.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3cissues.drill.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3cnotifications.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3cissues.commons.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3csolr-user.lucene.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3ccommits.dolphinscheduler.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3cissues.activemq.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3csolr-user.lucene.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://security.gentoo.org/glsa/201607-09"
},
{
"trust": 1.0,
"url": "https://security.netapp.com/advisory/ntap-20140911-0001/"
},
{
"trust": 1.0,
"url": "https://security.netapp.com/advisory/ntap-20180629-0006/"
},
{
"trust": 1.0,
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"trust": 1.0,
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"trust": 1.0,
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu96290700/index.html"
},
{
"trust": 0.8,
"url": "https://www.us-cert.gov/ics/recommended-practices"
},
{
"trust": 0.8,
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-184-01"
},
{
"trust": 0.8,
"url": "https://www.fda.gov/medical-devices/digital-health/cybersecurity"
},
{
"trust": 0.8,
"url": "http://jvndb.jvn.jp/ja/contents/2014/jvndb-2014-000056.html"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0114"
},
{
"trust": 0.8,
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-184-01"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0114"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secbullarchive/"
},
{
"trust": 0.3,
"url": "http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins"
},
{
"trust": 0.1,
"url": "https://rhn.redhat.com/errata/rhsa-2014-0498.html"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=fuse.esb.enterprise\u0026downloadtype=securitypatches\u0026version=7.1.0"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/security/data/cve/cve-2014-0114.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.1,
"url": "http://support.openview.hp.com/selfsolve/document/lid/sis_00321"
},
{
"trust": 0.1,
"url": "http://support.openview.hp.com/selfsolve/document/lid/sis_00320"
},
{
"trust": 0.1,
"url": "http://support.openview.hp.com/selfsolve/document/lid/sis_00322"
},
{
"trust": 0.1,
"url": "http://support.openview.hp.com/selfsolve/document/lid/sis_00324"
},
{
"trust": 0.1,
"url": "http://support.openview.hp.com/selfsolve/document/lid/sis_00318"
},
{
"trust": 0.1,
"url": "http://support.openview.hp.com/selfsolve/document/lid/sis_00319"
},
{
"trust": 0.1,
"url": "http://support.openview.hp.com/selfsolve/document/lid/sis_00316"
},
{
"trust": 0.1,
"url": "http://support.openview.hp.com/selfsolve/document/lid/sis_00315"
},
{
"trust": 0.1,
"url": "http://support.openview.hp.com/selfsolve/document/lid/sis_00323"
},
{
"trust": 0.1,
"url": "http://support.openview.hp.com/selfsolve/document/lid/sis_00317"
},
{
"trust": 0.1,
"url": "https://softwaresupport.hpe.com\u003e."
},
{
"trust": 0.1,
"url": "https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets"
},
{
"trust": 0.1,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05324755"
},
{
"trust": 0.1,
"url": "http://www.hpe.com/support/security_bulletin_archive"
},
{
"trust": 0.1,
"url": "https://www.hpe.com/info/report-security-vulnerability"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0763"
},
{
"trust": 0.1,
"url": "http://www.hpe.com/support/subscriber_choice"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3253"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0107"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-6429"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0050"
},
{
"trust": 0.1,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c01345499"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5652"
},
{
"trust": 0.1,
"url": "http://www.hp.com/jp/icewall_patchaccess"
},
{
"trust": 0.1,
"url": "http://h30499.www3.hp.com/t5/hp-security-research-blog/protect-your-struts1-a"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-006468"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002308"
},
{
"db": "PACKETSTORM",
"id": "126619"
},
{
"db": "PACKETSTORM",
"id": "127868"
},
{
"db": "PACKETSTORM",
"id": "128873"
},
{
"db": "PACKETSTORM",
"id": "139721"
},
{
"db": "PACKETSTORM",
"id": "126811"
},
{
"db": "NVD",
"id": "CVE-2014-0114"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2014-0114"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-006468"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002308"
},
{
"db": "PACKETSTORM",
"id": "126619"
},
{
"db": "PACKETSTORM",
"id": "127868"
},
{
"db": "PACKETSTORM",
"id": "128873"
},
{
"db": "PACKETSTORM",
"id": "139721"
},
{
"db": "PACKETSTORM",
"id": "126811"
},
{
"db": "NVD",
"id": "CVE-2014-0114"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-04-30T00:00:00",
"db": "VULMON",
"id": "CVE-2014-0114"
},
{
"date": "2020-07-09T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-006468"
},
{
"date": "2014-05-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002308"
},
{
"date": "2014-05-14T19:25:00",
"db": "PACKETSTORM",
"id": "126619"
},
{
"date": "2014-08-14T22:49:43",
"db": "PACKETSTORM",
"id": "127868"
},
{
"date": "2014-10-28T18:09:30",
"db": "PACKETSTORM",
"id": "128873"
},
{
"date": "2016-11-15T00:42:48",
"db": "PACKETSTORM",
"id": "139721"
},
{
"date": "2014-05-27T16:17:39",
"db": "PACKETSTORM",
"id": "126811"
},
{
"date": "2014-04-30T10:49:03.973000",
"db": "NVD",
"id": "CVE-2014-0114"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-02-13T00:00:00",
"db": "VULMON",
"id": "CVE-2014-0114"
},
{
"date": "2020-09-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-006468"
},
{
"date": "2020-09-02T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002308"
},
{
"date": "2023-02-13T00:32:29.660000",
"db": "NVD",
"id": "CVE-2014-0114"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "126619"
}
],
"trust": 0.1
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenClinic\u00a0GA\u00a0 Multiple vulnerabilities in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-006468"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "arbitrary",
"sources": [
{
"db": "PACKETSTORM",
"id": "127868"
},
{
"db": "PACKETSTORM",
"id": "126811"
}
],
"trust": 0.2
}
}
wid-sec-w-2022-0770
Vulnerability from csaf_certbund
Published
2020-04-23 22:00
Modified
2024-05-16 22:00
Summary
IBM DB2: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erh\u00f6hen oder einen Denial of Service zu verursachen",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-0770 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2022-0770.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-0770 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0770"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6198380 vom 2020-04-23",
"url": "https://www.ibm.com/support/pages/node/6198380"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:2603 vom 2020-06-17",
"url": "https://access.redhat.com/errata/RHSA-2020:2603"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:4807 vom 2020-11-04",
"url": "https://access.redhat.com/errata/RHSA-2020:4807"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:3225 vom 2021-08-20",
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2022-115 vom 2022-05-27",
"url": "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-115/index.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6605881 vom 2022-07-21",
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics/"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2024-070 vom 2024-02-03",
"url": "https://www.dell.com/support/kbdoc/000221770/dsa-2024-="
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2023-144 vom 2023-10-03",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-144/index.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7153639 vom 2024-05-17",
"url": "https://www.ibm.com/support/pages/node/7153639"
}
],
"source_lang": "en-US",
"title": "IBM DB2: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-05-16T22:00:00.000+00:00",
"generator": {
"date": "2024-05-17T08:33:37.793+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.0"
}
},
"id": "WID-SEC-W-2022-0770",
"initial_release_date": "2020-04-23T22:00:00.000+00:00",
"revision_history": [
{
"date": "2020-04-23T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2020-06-17T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-11-03T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-08-19T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-05-26T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2022-07-20T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2023-10-03T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2024-02-04T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Dell aufgenommen"
},
{
"date": "2024-05-16T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "9"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "EMC Avamar",
"product": {
"name": "EMC Avamar",
"product_id": "T014381",
"product_identification_helper": {
"cpe": "cpe:/a:emc:avamar:-"
}
}
}
],
"category": "vendor",
"name": "EMC"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T017562",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
},
{
"category": "product_version_range",
"name": "\u003cAnalyzer 10.9.3-00",
"product": {
"name": "Hitachi Ops Center \u003cAnalyzer 10.9.3-00",
"product_id": "T030196",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:analyzer_10.9.3-00"
}
}
},
{
"category": "product_version_range",
"name": "\u003cViewpoint 10.9.3-00",
"product": {
"name": "Hitachi Ops Center \u003cViewpoint 10.9.3-00",
"product_id": "T030197",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:viewpoint_10.9.3-00"
}
}
}
],
"category": "product_name",
"name": "Ops Center"
}
],
"category": "vendor",
"name": "Hitachi"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "11.1",
"product": {
"name": "IBM DB2 11.1",
"product_id": "342000",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:11.1"
}
}
},
{
"category": "product_version",
"name": "11.5",
"product": {
"name": "IBM DB2 11.5",
"product_id": "695419",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:11.5"
}
}
}
],
"category": "product_name",
"name": "DB2"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2009-0001",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2009-0001"
},
{
"cve": "CVE-2014-0114",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2014-0114"
},
{
"cve": "CVE-2014-0193",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2014-0193"
},
{
"cve": "CVE-2014-3488",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2014-3488"
},
{
"cve": "CVE-2015-2156",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2015-2156"
},
{
"cve": "CVE-2016-2402",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2016-2402"
},
{
"cve": "CVE-2017-12972",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-12972"
},
{
"cve": "CVE-2017-12973",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-12973"
},
{
"cve": "CVE-2017-12974",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-12974"
},
{
"cve": "CVE-2017-18640",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-18640"
},
{
"cve": "CVE-2017-3734",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-3734"
},
{
"cve": "CVE-2017-5637",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-5637"
},
{
"cve": "CVE-2018-10237",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-10237"
},
{
"cve": "CVE-2018-11771",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-11771"
},
{
"cve": "CVE-2018-8009",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-8009"
},
{
"cve": "CVE-2018-8012",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-8012"
},
{
"cve": "CVE-2019-0201",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-0201"
},
{
"cve": "CVE-2019-10086",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-10086"
},
{
"cve": "CVE-2019-10172",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-10172"
},
{
"cve": "CVE-2019-10202",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-10202"
},
{
"cve": "CVE-2019-12402",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-12402"
},
{
"cve": "CVE-2019-16869",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-16869"
},
{
"cve": "CVE-2019-17195",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-17195"
},
{
"cve": "CVE-2019-17571",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-17571"
},
{
"cve": "CVE-2019-9512",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9512"
},
{
"cve": "CVE-2019-9514",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9514"
},
{
"cve": "CVE-2019-9515",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9515"
},
{
"cve": "CVE-2019-9518",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9518"
}
]
}
wid-sec-w-2023-0918
Vulnerability from csaf_certbund
Published
2014-05-06 22:00
Modified
2024-05-16 22:00
Summary
Apache Struts: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Struts ist ein Framework für Java-Anwendungen auf dem Webserver Apache.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Struts ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Struts ist ein Framework f\u00fcr Java-Anwendungen auf dem Webserver Apache.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Struts ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0918 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2014/wid-sec-w-2023-0918.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0918 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0918"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2014:0474-1 vom 2014-05-07",
"url": "https://rhn.redhat.com/errata/RHSA-2014-0474.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2014:0497-1 vom 2014-05-14",
"url": "https://rhn.redhat.com/errata/RHSA-2014-0497.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2014:0498-1 vom 2014-05-14",
"url": "https://rhn.redhat.com/errata/RHSA-2014-0498.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2014:0500-1 vom 2014-05-14",
"url": "https://rhn.redhat.com/errata/RHSA-2014-0500.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2014:0511-1 vom 2014-05-15",
"url": "https://rhn.redhat.com/errata/RHSA-2014-0511.html"
},
{
"category": "external",
"summary": "SUSE Security Update: Security Update f\u00fcr Struts",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-07/msg00008.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-2940-1 vom 2014-08-21",
"url": "https://www.debian.org/security/2014/dsa-2940"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory Appendix Retail Applications vom 2014-10-14",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixRAPP"
},
{
"category": "external",
"summary": "HP Security Bulletin c04473828 vom 2014-10-14",
"url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04473828"
},
{
"category": "external",
"summary": "HP Security Bulletin HPSBGN03669 vom 2016-11-07",
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324755"
},
{
"category": "external",
"summary": "NetApp Advisory Number NTAP-20140911-0001 vom 2017-04-06",
"url": "https://kb.netapp.com/support/s/article/ka51A00000007QFQAY/apache-struts-class-suppression-vulnerability-in-select-netapp-products?language=en_US"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2019:2995 vom 2019-10-10",
"url": "https://access.redhat.com/errata/RHSA-2019:2995"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2020-0194 vom 2020-04-24",
"url": "https://oss.oracle.com/pipermail/el-errata/2020-January/009538.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6982881 vom 2023-04-12",
"url": "https://www.ibm.com/support/pages/node/6982881"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7153639 vom 2024-05-17",
"url": "https://www.ibm.com/support/pages/node/7153639"
}
],
"source_lang": "en-US",
"title": "Apache Struts: Schwachstelle erm\u00f6glicht Ausf\u00fchren von beliebigem Programmcode mit den Rechten des Dienstes",
"tracking": {
"current_release_date": "2024-05-16T22:00:00.000+00:00",
"generator": {
"date": "2024-05-17T08:33:46.075+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.0"
}
},
"id": "WID-SEC-W-2023-0918",
"initial_release_date": "2014-05-06T22:00:00.000+00:00",
"revision_history": [
{
"date": "2014-05-06T22:00:00.000+00:00",
"number": "1",
"summary": "Initial Release"
},
{
"date": "2014-05-06T22:00:00.000+00:00",
"number": "2",
"summary": "Version nicht vorhanden"
},
{
"date": "2014-05-06T22:00:00.000+00:00",
"number": "3",
"summary": "Version nicht vorhanden"
},
{
"date": "2014-05-06T22:00:00.000+00:00",
"number": "4",
"summary": "Version nicht vorhanden"
},
{
"date": "2014-05-15T22:00:00.000+00:00",
"number": "5",
"summary": "New remediations available"
},
{
"date": "2014-05-15T22:00:00.000+00:00",
"number": "6",
"summary": "Version nicht vorhanden"
},
{
"date": "2014-07-15T22:00:00.000+00:00",
"number": "7",
"summary": "New remediations available"
},
{
"date": "2014-07-15T22:00:00.000+00:00",
"number": "8",
"summary": "Version nicht vorhanden"
},
{
"date": "2014-08-21T22:00:00.000+00:00",
"number": "9",
"summary": "New remediations available"
},
{
"date": "2014-08-21T22:00:00.000+00:00",
"number": "10",
"summary": "Version nicht vorhanden"
},
{
"date": "2014-08-21T22:00:00.000+00:00",
"number": "11",
"summary": "Version nicht vorhanden"
},
{
"date": "2014-08-21T22:00:00.000+00:00",
"number": "12",
"summary": "Version nicht vorhanden"
},
{
"date": "2014-08-21T22:00:00.000+00:00",
"number": "13",
"summary": "Version nicht vorhanden"
},
{
"date": "2016-11-06T23:00:00.000+00:00",
"number": "14",
"summary": "New remediations available"
},
{
"date": "2016-11-06T23:00:00.000+00:00",
"number": "15",
"summary": "Version nicht vorhanden"
},
{
"date": "2017-04-06T22:00:00.000+00:00",
"number": "16",
"summary": "n"
},
{
"date": "2017-04-06T22:00:00.000+00:00",
"number": "17",
"summary": "Version nicht vorhanden"
},
{
"date": "2019-10-09T22:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-04-23T22:00:00.000+00:00",
"number": "19",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2023-04-11T22:00:00.000+00:00",
"number": "20",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2024-05-16T22:00:00.000+00:00",
"number": "21",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "21"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1",
"product": {
"name": "Apache Struts 1",
"product_id": "T003109",
"product_identification_helper": {
"cpe": "cpe:/a:apache:struts:1"
}
}
}
],
"category": "product_name",
"name": "Struts"
}
],
"category": "vendor",
"name": "Apache"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux Wheezy (7.0)",
"product": {
"name": "Debian Linux Wheezy (7.0)",
"product_id": "T001572",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:7.0"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "HPE SiteScope",
"product": {
"name": "HPE SiteScope",
"product_id": "T008871",
"product_identification_helper": {
"cpe": "cpe:/a:hp:sitescope:-"
}
}
},
{
"category": "product_name",
"name": "HPE XP P9000 Command View Advanced Edition",
"product": {
"name": "HPE XP P9000 Command View Advanced Edition",
"product_id": "T004073",
"product_identification_helper": {
"cpe": "cpe:/a:hp:xp_p9000_command_view_advanced_edition:-"
}
}
}
],
"category": "vendor",
"name": "HPE"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "8.1",
"product": {
"name": "IBM Operational Decision Manager 8.10",
"product_id": "T013722",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:operational_decision_manager:8.10"
}
}
},
{
"category": "product_version",
"name": "8.11",
"product": {
"name": "IBM Operational Decision Manager 8.11",
"product_id": "T022173",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:operational_decision_manager:8.11"
}
}
}
],
"category": "product_name",
"name": "Operational Decision Manager"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "NetApp OnCommand Unified Manager",
"product": {
"name": "NetApp OnCommand Unified Manager",
"product_id": "T009408",
"product_identification_helper": {
"cpe": "cpe:/a:netapp:oncommand_unified_manager:-"
}
}
}
],
"category": "vendor",
"name": "NetApp"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
},
{
"category": "product_name",
"name": "Oracle Primavera",
"product": {
"name": "Oracle Primavera",
"product_id": "T001021",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:primavera_portfolio_management:7.0"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "10",
"product": {
"name": "Oracle Retail Allocation 10.0",
"product_id": "T003997",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_allocation:10.0"
}
}
},
{
"category": "product_version",
"name": "11",
"product": {
"name": "Oracle Retail Allocation 11.0",
"product_id": "T003998",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_allocation:11.0"
}
}
},
{
"category": "product_version",
"name": "12",
"product": {
"name": "Oracle Retail Allocation 12.0",
"product_id": "T003999",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_allocation:12.0"
}
}
},
{
"category": "product_version",
"name": "13",
"product": {
"name": "Oracle Retail Allocation 13.0",
"product_id": "T004000",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_allocation:13.0"
}
}
},
{
"category": "product_version",
"name": "13.1",
"product": {
"name": "Oracle Retail Allocation 13.1",
"product_id": "T004001",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_allocation:13.1"
}
}
},
{
"category": "product_version",
"name": "13.2",
"product": {
"name": "Oracle Retail Allocation 13.2",
"product_id": "T004012",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_allocation:13.2"
}
}
}
],
"category": "product_name",
"name": "Retail Allocation"
},
{
"branches": [
{
"category": "product_version",
"name": "13.3",
"product": {
"name": "Oracle Retail Clearance Optimization Engine 13.3",
"product_id": "T004002",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_clearance_optimization_engine:13.3"
}
}
},
{
"category": "product_version",
"name": "13.4",
"product": {
"name": "Oracle Retail Clearance Optimization Engine 13.4",
"product_id": "T004003",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_clearance_optimization_engine:13.4"
}
}
},
{
"category": "product_version",
"name": "14",
"product": {
"name": "Oracle Retail Clearance Optimization Engine 14.0",
"product_id": "T004004",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_clearance_optimization_engine:14.0"
}
}
}
],
"category": "product_name",
"name": "Retail Clearance Optimization Engine"
},
{
"branches": [
{
"category": "product_version",
"name": "11",
"product": {
"name": "Oracle Retail Invoice Matching 11.0",
"product_id": "T001981",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_invoice_matching:11.0"
}
}
},
{
"category": "product_version",
"name": "12",
"product": {
"name": "Oracle Retail Invoice Matching 12.0",
"product_id": "T001982",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_invoice_matching:12.0"
}
}
},
{
"category": "product_version",
"name": "12.0 IN",
"product": {
"name": "Oracle Retail Invoice Matching 12.0 IN",
"product_id": "T001983",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_invoice_matching:12.0in"
}
}
},
{
"category": "product_version",
"name": "12.1",
"product": {
"name": "Oracle Retail Invoice Matching 12.1",
"product_id": "T001984",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_invoice_matching:12.1"
}
}
},
{
"category": "product_version",
"name": "13",
"product": {
"name": "Oracle Retail Invoice Matching 13.0",
"product_id": "T001985",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_invoice_matching:13.0"
}
}
},
{
"category": "product_version",
"name": "13.2",
"product": {
"name": "Oracle Retail Invoice Matching 13.2",
"product_id": "T001987",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_invoice_matching:13.2"
}
}
},
{
"category": "product_version",
"name": "14",
"product": {
"name": "Oracle Retail Invoice Matching 14.0",
"product_id": "T004005",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_invoice_matching:14.0"
}
}
},
{
"category": "product_version",
"name": "13.1",
"product": {
"name": "Oracle Retail Markdown Optimization 13.1",
"product_id": "T004011",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_invoice_matching:13.1"
}
}
}
],
"category": "product_name",
"name": "Retail Invoice Matching"
},
{
"branches": [
{
"category": "product_version",
"name": "12",
"product": {
"name": "Oracle Retail Markdown Optimization 12.0",
"product_id": "T004006",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_markdown_optimization:12.0"
}
}
},
{
"category": "product_version",
"name": "13",
"product": {
"name": "Oracle Retail Markdown Optimization 13.0",
"product_id": "T004007",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_markdown_optimization:13.0"
}
}
},
{
"category": "product_version",
"name": "13.2",
"product": {
"name": "Oracle Retail Markdown Optimization 13.2",
"product_id": "T004009",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_markdown_optimization:13.2"
}
}
},
{
"category": "product_version",
"name": "13.4",
"product": {
"name": "Oracle Retail Markdown Optimization 13.4",
"product_id": "T004010",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_markdown_optimization:13.4"
}
}
}
],
"category": "product_name",
"name": "Retail Markdown Optimization"
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "5",
"product": {
"name": "Red Hat Enterprise Linux 5",
"product_id": "74289",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::server"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "5",
"product": {
"name": "Red Hat Enterprise Linux Desktop 5",
"product_id": "T002352",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux_desktop:5:client"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux Desktop"
},
{
"category": "product_name",
"name": "Red Hat JBoss Fuse",
"product": {
"name": "Red Hat JBoss Fuse",
"product_id": "T003086",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:-"
}
}
},
{
"category": "product_name",
"name": "Red Hat Network Satellite Server",
"product": {
"name": "Red Hat Network Satellite Server",
"product_id": "9603",
"product_identification_helper": {
"cpe": "cpe:/h:redhat:network_satelite_server:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-0114",
"notes": [
{
"category": "description",
"text": "In Apache Struts besteht eine Schwachstelle, welche zur entfernten Codeausf\u00fchrung ausgenutzt werden kann. Diese Schwachstelle wird durch eine unzureichende Zugriffsbeschr\u00e4nkung auf den \"class\" Parameter im \"ActionForm\" Objekt verursacht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Code mit den Rechten des Dienstes auszuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"T004011",
"T004012",
"T009408",
"T013722",
"T003109",
"T004914",
"T001987",
"T001985",
"T001984",
"T001983",
"T001982",
"T001981",
"T004073",
"T008871",
"T001021",
"T002352",
"T003086",
"T004010",
"T004000",
"T004001",
"T004002",
"T004003",
"T004004",
"T004005",
"T004006",
"T004007",
"T003997",
"74289",
"T003998",
"T004009",
"T003999",
"T002207",
"9603",
"T001572",
"T022173"
]
},
"release_date": "2014-05-06T22:00:00Z",
"title": "CVE-2014-0114"
}
]
}
wid-sec-w-2022-1375
Vulnerability from csaf_certbund
Published
2022-09-11 22:00
Modified
2023-09-14 22:00
Summary
JFrog Artifactory: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JFrog Artifactory ist eine universelle DevOps-Lösung.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.
Betroffene Betriebssysteme
- UNIX
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "JFrog Artifactory ist eine universelle DevOps-L\u00f6sung.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-1375 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1375.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-1375 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:5165 vom 2023-09-14",
"url": "https://access.redhat.com/errata/RHSA-2023:5165"
},
{
"category": "external",
"summary": "JFrog Fixed Security Vulnerabilities vom 2022-09-11",
"url": "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities"
},
{
"category": "external",
"summary": "JFrog Fixed Security Vulnerabilities",
"url": "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:6782 vom 2022-10-04",
"url": "https://access.redhat.com/errata/RHSA-2022:6782"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-5776-1 vom 2022-12-13",
"url": "https://ubuntu.com/security/notices/USN-5776-1"
}
],
"source_lang": "en-US",
"title": "JFrog Artifactory: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-09-14T22:00:00.000+00:00",
"generator": {
"date": "2024-02-15T16:58:09.779+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.0"
}
},
"id": "WID-SEC-W-2022-1375",
"initial_release_date": "2022-09-11T22:00:00.000+00:00",
"revision_history": [
{
"date": "2022-09-11T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2022-10-03T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2022-10-04T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-12-12T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2022-12-20T23:00:00.000+00:00",
"number": "5",
"summary": "Referenz(en) aufgenommen: FEDORA-2022-DB674BAFD9, FEDORA-2022-7E327A20BE"
},
{
"date": "2023-09-14T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "6"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "JFrog Artifactory",
"product": {
"name": "JFrog Artifactory",
"product_id": "T024527",
"product_identification_helper": {
"cpe": "cpe:/a:jfrog:artifactory:-"
}
}
},
{
"category": "product_name",
"name": "JFrog Artifactory \u003c 7.46.3",
"product": {
"name": "JFrog Artifactory \u003c 7.46.3",
"product_id": "T024764",
"product_identification_helper": {
"cpe": "cpe:/a:jfrog:artifactory:7.46.3"
}
}
}
],
"category": "product_name",
"name": "Artifactory"
}
],
"category": "vendor",
"name": "JFrog"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-4517",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2013-4517"
},
{
"cve": "CVE-2013-7285",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2013-7285"
},
{
"cve": "CVE-2014-0107",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2014-0107"
},
{
"cve": "CVE-2014-0114",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2014-0114"
},
{
"cve": "CVE-2014-3577",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2014-3577"
},
{
"cve": "CVE-2014-3623",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2014-3623"
},
{
"cve": "CVE-2015-0227",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2015-0227"
},
{
"cve": "CVE-2015-2575",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2015-2575"
},
{
"cve": "CVE-2015-3253",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2015-3253"
},
{
"cve": "CVE-2015-4852",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2015-4852"
},
{
"cve": "CVE-2015-7940",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2015-7940"
},
{
"cve": "CVE-2016-10750",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2016-10750"
},
{
"cve": "CVE-2016-3092",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2016-3092"
},
{
"cve": "CVE-2016-3674",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2016-3674"
},
{
"cve": "CVE-2016-6501",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2016-6501"
},
{
"cve": "CVE-2016-8735",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2016-8735"
},
{
"cve": "CVE-2016-8745",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2016-8745"
},
{
"cve": "CVE-2017-1000487",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2017-1000487"
},
{
"cve": "CVE-2017-15095",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2017-15095"
},
{
"cve": "CVE-2017-17485",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2017-17485"
},
{
"cve": "CVE-2017-18214",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2017-18214"
},
{
"cve": "CVE-2017-18640",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2017-18640"
},
{
"cve": "CVE-2017-7525",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2017-7525"
},
{
"cve": "CVE-2017-7657",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2017-7657"
},
{
"cve": "CVE-2017-7957",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2017-7957"
},
{
"cve": "CVE-2017-9506",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2017-9506"
},
{
"cve": "CVE-2018-1000206",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2018-1000206"
},
{
"cve": "CVE-2018-9116",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2018-9116"
},
{
"cve": "CVE-2019-10219",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2019-10219"
},
{
"cve": "CVE-2019-12402",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2019-12402"
},
{
"cve": "CVE-2019-17359",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2019-17359"
},
{
"cve": "CVE-2019-17571",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2019-17571"
},
{
"cve": "CVE-2019-20104",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2019-20104"
},
{
"cve": "CVE-2020-11996",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-11996"
},
{
"cve": "CVE-2020-13934",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-13934"
},
{
"cve": "CVE-2020-13935",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-13935"
},
{
"cve": "CVE-2020-13949",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-13949"
},
{
"cve": "CVE-2020-14340",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-14340"
},
{
"cve": "CVE-2020-15586",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-15586"
},
{
"cve": "CVE-2020-1745",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-1745"
},
{
"cve": "CVE-2020-17521",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-17521"
},
{
"cve": "CVE-2020-25649",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-25649"
},
{
"cve": "CVE-2020-28500",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-28500"
},
{
"cve": "CVE-2020-29582",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-29582"
},
{
"cve": "CVE-2020-36518",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-36518"
},
{
"cve": "CVE-2020-7226",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-7226"
},
{
"cve": "CVE-2020-7692",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-7692"
},
{
"cve": "CVE-2020-8203",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2020-8203"
},
{
"cve": "CVE-2021-13936",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-13936"
},
{
"cve": "CVE-2021-21290",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-21290"
},
{
"cve": "CVE-2021-22060",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-22060"
},
{
"cve": "CVE-2021-22112",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-22112"
},
{
"cve": "CVE-2021-22119",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-22119"
},
{
"cve": "CVE-2021-22147",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-22147"
},
{
"cve": "CVE-2021-22148",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-22148"
},
{
"cve": "CVE-2021-22149",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-22149"
},
{
"cve": "CVE-2021-22573",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-22573"
},
{
"cve": "CVE-2021-23337",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-23337"
},
{
"cve": "CVE-2021-25122",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-25122"
},
{
"cve": "CVE-2021-26291",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-26291"
},
{
"cve": "CVE-2021-27568",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-27568"
},
{
"cve": "CVE-2021-29505",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-29505"
},
{
"cve": "CVE-2021-30129",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-30129"
},
{
"cve": "CVE-2021-33037",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-33037"
},
{
"cve": "CVE-2021-35550",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-35550"
},
{
"cve": "CVE-2021-35556",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-35556"
},
{
"cve": "CVE-2021-35560",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-35560"
},
{
"cve": "CVE-2021-35561",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-35561"
},
{
"cve": "CVE-2021-35564",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-35564"
},
{
"cve": "CVE-2021-35565",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-35565"
},
{
"cve": "CVE-2021-35567",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-35567"
},
{
"cve": "CVE-2021-35578",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-35578"
},
{
"cve": "CVE-2021-35586",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-35586"
},
{
"cve": "CVE-2021-35588",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-35588"
},
{
"cve": "CVE-2021-35603",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-35603"
},
{
"cve": "CVE-2021-36374",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-36374"
},
{
"cve": "CVE-2021-3765",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-3765"
},
{
"cve": "CVE-2021-3807",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-3807"
},
{
"cve": "CVE-2021-38561",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-38561"
},
{
"cve": "CVE-2021-3859",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-3859"
},
{
"cve": "CVE-2021-41090",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-41090"
},
{
"cve": "CVE-2021-41091",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-41091"
},
{
"cve": "CVE-2021-42340",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-42340"
},
{
"cve": "CVE-2021-42550",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-42550"
},
{
"cve": "CVE-2021-43797",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2021-43797"
},
{
"cve": "CVE-2022-0536",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-0536"
},
{
"cve": "CVE-2022-22963",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-22963"
},
{
"cve": "CVE-2022-23632",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-23632"
},
{
"cve": "CVE-2022-23648",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-23648"
},
{
"cve": "CVE-2022-23806",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-23806"
},
{
"cve": "CVE-2022-24769",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-24769"
},
{
"cve": "CVE-2022-24823",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-24823"
},
{
"cve": "CVE-2022-27191",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-27191"
},
{
"cve": "CVE-2022-29153",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-29153"
},
{
"cve": "CVE-2022-32212",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-32212"
},
{
"cve": "CVE-2022-32213",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-32213"
},
{
"cve": "CVE-2022-32214",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-32214"
},
{
"cve": "CVE-2022-32215",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-32215"
},
{
"cve": "CVE-2022-32223",
"notes": [
{
"category": "description",
"text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte."
}
],
"product_status": {
"known_affected": [
"T024527",
"67646",
"T000126",
"T024764"
]
},
"release_date": "2022-09-11T22:00:00Z",
"title": "CVE-2022-32223"
}
]
}
ghsa-p66x-2cv9-qq3v
Vulnerability from github
Published
2020-06-10 23:38
Modified
2024-06-05 15:57
Summary
Arbitrary code execution in Apache Commons BeanUtils
Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "commons-beanutils:commons-beanutils"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.0"
},
{
"fixed": "1.9.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-0114"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-10T23:37:42Z",
"nvd_published_at": "2014-04-30T10:49:00Z",
"severity": "HIGH"
},
"details": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.",
"id": "GHSA-p66x-2cv9-qq3v",
"modified": "2024-06-05T15:57:09Z",
"published": "2020-06-10T23:38:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114"
},
{
"type": "WEB",
"url": "https://github.com/apache/commons-beanutils/pull/7"
},
{
"type": "WEB",
"url": "https://github.com/apache/commons-beanutils/commit/62e82ad92cf4818709d6044aaf257b73d42659a4"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639@%3Ccommits.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40@%3Cgitbox.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25@%3Cdev.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20150710065242/http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20140618110851/http://www.securityfocus.com/bid/67121"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-30077"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20180629-0006"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20140911-0001"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201607-09"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3@%3Cnotifications.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f@%3Cnotifications.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86@%3Cdev.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5@%3Ccommits.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f@%3Cuser.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859@%3Cdev.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/BEANUTILS-463"
},
{
"type": "WEB",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/commons-beanutils"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"type": "WEB",
"url": "https://access.redhat.com/solutions/869353"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2995"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1@%3Cdev.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd@%3Ccommits.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0@%3Cissues.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "http://advisories.mageia.org/MGASA-2014-0219.html"
},
{
"type": "WEB",
"url": "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html"
},
{
"type": "WEB",
"url": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=140119284401582\u0026w=2"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=140801096002766\u0026w=2"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=141451023707502\u0026w=2"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2014/06/15/10"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2014/07/08/1"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2940"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21675496"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Arbitrary code execution in Apache Commons BeanUtils"
}
cve-2014-0114
Vulnerability from jvndb
Published
2014-06-17 15:01
Modified
2015-01-22 15:50
Summary
TERASOLUNA Server Framework for Java(Web) vulnerable to ClassLoader manipulation
Details
TERASOLUNA Server Framework for Java(Web) provided by NTT DATA Corporation is a software framework for creating Java web applications. TERASOLUNA Server Framework for Java(Web) bundles Apache Struts 1.2.9, which contains a vulnerability where the ClassLoader may be manipulated (CVE-2014-0114). Therefore, this vulnerability affects TERASOLUNA Server Framework for Java(Web) as well.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| NTT DATA | TERASOLUNA Server Framework for Java(Web) |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000056.html",
"dc:date": "2015-01-22T15:50+09:00",
"dcterms:issued": "2014-06-17T15:01+09:00",
"dcterms:modified": "2015-01-22T15:50+09:00",
"description": "TERASOLUNA Server Framework for Java(Web) provided by NTT DATA Corporation is a software framework for creating Java web applications. TERASOLUNA Server Framework for Java(Web) bundles Apache Struts 1.2.9, which contains a vulnerability where the ClassLoader may be manipulated (CVE-2014-0114). Therefore, this vulnerability affects TERASOLUNA Server Framework for Java(Web) as well.",
"link": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000056.html",
"sec:cpe": {
"#text": "cpe:/a:nttdata:terasoluna_server_framework_for_java_web",
"@product": "TERASOLUNA Server Framework for Java(Web)",
"@vendor": "NTT DATA",
"@version": "2.2"
},
"sec:cvss": {
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2014-000056",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN30962312/index.html",
"@id": "JVN#30962312",
"@source": "JVN"
},
{
"#text": "http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-002308.html",
"@id": "JVNDB-2014-002308",
"@source": "JVN iPedia"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114",
"@id": "CVE-2014-0114",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114",
"@id": "CVE-2014-0114",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-DesignError",
"@title": "No Mapping(CWE-DesignError)"
}
],
"title": "TERASOLUNA Server Framework for Java(Web) vulnerable to ClassLoader manipulation"
}
gsd-2014-0114
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-0114",
"description": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.",
"id": "GSD-2014-0114",
"references": [
"https://www.suse.com/security/cve/CVE-2014-0114.html",
"https://www.debian.org/security/2014/dsa-2940",
"https://access.redhat.com/errata/RHSA-2019:2995",
"https://access.redhat.com/errata/RHSA-2018:2669",
"https://access.redhat.com/errata/RHSA-2014:0511",
"https://access.redhat.com/errata/RHSA-2014:0500",
"https://access.redhat.com/errata/RHSA-2014:0498",
"https://access.redhat.com/errata/RHSA-2014:0497",
"https://access.redhat.com/errata/RHSA-2014:0474",
"https://advisories.mageia.org/CVE-2014-0114.html",
"https://linux.oracle.com/cve/CVE-2014-0114.html",
"https://packetstormsecurity.com/files/cve/CVE-2014-0114",
"https://ubuntu.com/security/CVE-2014-0114"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2014-0114"
],
"details": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.",
"id": "GSD-2014-0114",
"modified": "2023-12-13T01:22:44.062199Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-0114",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"name": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
"refsource": "MISC",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html",
"refsource": "MISC",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html",
"refsource": "MISC",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html",
"refsource": "MISC",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"name": "https://access.redhat.com/errata/RHSA-2018:2669",
"refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html",
"refsource": "MISC",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html"
},
{
"name": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html",
"refsource": "MISC",
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html",
"refsource": "MISC",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
},
{
"name": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "http://seclists.org/fulldisclosure/2014/Dec/23",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html",
"refsource": "MISC",
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"name": "http://www.securityfocus.com/archive/1/534161/100/0/threaded",
"refsource": "MISC",
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"name": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html",
"refsource": "MISC",
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755",
"refsource": "MISC",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755"
},
{
"name": "http://advisories.mageia.org/MGASA-2014-0219.html",
"refsource": "MISC",
"url": "http://advisories.mageia.org/MGASA-2014-0219.html"
},
{
"name": "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html",
"refsource": "MISC",
"url": "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html"
},
{
"name": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt",
"refsource": "MISC",
"url": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt"
},
{
"name": "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html",
"refsource": "MISC",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html"
},
{
"name": "http://marc.info/?l=bugtraq\u0026m=140119284401582\u0026w=2",
"refsource": "MISC",
"url": "http://marc.info/?l=bugtraq\u0026m=140119284401582\u0026w=2"
},
{
"name": "http://marc.info/?l=bugtraq\u0026m=140801096002766\u0026w=2",
"refsource": "MISC",
"url": "http://marc.info/?l=bugtraq\u0026m=140801096002766\u0026w=2"
},
{
"name": "http://marc.info/?l=bugtraq\u0026m=141451023707502\u0026w=2",
"refsource": "MISC",
"url": "http://marc.info/?l=bugtraq\u0026m=141451023707502\u0026w=2"
},
{
"name": "http://openwall.com/lists/oss-security/2014/06/15/10",
"refsource": "MISC",
"url": "http://openwall.com/lists/oss-security/2014/06/15/10"
},
{
"name": "http://openwall.com/lists/oss-security/2014/07/08/1",
"refsource": "MISC",
"url": "http://openwall.com/lists/oss-security/2014/07/08/1"
},
{
"name": "http://secunia.com/advisories/57477",
"refsource": "MISC",
"url": "http://secunia.com/advisories/57477"
},
{
"name": "http://secunia.com/advisories/58710",
"refsource": "MISC",
"url": "http://secunia.com/advisories/58710"
},
{
"name": "http://secunia.com/advisories/58851",
"refsource": "MISC",
"url": "http://secunia.com/advisories/58851"
},
{
"name": "http://secunia.com/advisories/58947",
"refsource": "MISC",
"url": "http://secunia.com/advisories/58947"
},
{
"name": "http://secunia.com/advisories/59014",
"refsource": "MISC",
"url": "http://secunia.com/advisories/59014"
},
{
"name": "http://secunia.com/advisories/59118",
"refsource": "MISC",
"url": "http://secunia.com/advisories/59118"
},
{
"name": "http://secunia.com/advisories/59228",
"refsource": "MISC",
"url": "http://secunia.com/advisories/59228"
},
{
"name": "http://secunia.com/advisories/59245",
"refsource": "MISC",
"url": "http://secunia.com/advisories/59245"
},
{
"name": "http://secunia.com/advisories/59246",
"refsource": "MISC",
"url": "http://secunia.com/advisories/59246"
},
{
"name": "http://secunia.com/advisories/59430",
"refsource": "MISC",
"url": "http://secunia.com/advisories/59430"
},
{
"name": "http://secunia.com/advisories/59464",
"refsource": "MISC",
"url": "http://secunia.com/advisories/59464"
},
{
"name": "http://secunia.com/advisories/59479",
"refsource": "MISC",
"url": "http://secunia.com/advisories/59479"
},
{
"name": "http://secunia.com/advisories/59480",
"refsource": "MISC",
"url": "http://secunia.com/advisories/59480"
},
{
"name": "http://secunia.com/advisories/59704",
"refsource": "MISC",
"url": "http://secunia.com/advisories/59704"
},
{
"name": "http://secunia.com/advisories/59718",
"refsource": "MISC",
"url": "http://secunia.com/advisories/59718"
},
{
"name": "http://secunia.com/advisories/60177",
"refsource": "MISC",
"url": "http://secunia.com/advisories/60177"
},
{
"name": "http://secunia.com/advisories/60703",
"refsource": "MISC",
"url": "http://secunia.com/advisories/60703"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296",
"refsource": "MISC",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296"
},
{
"name": "http://www.debian.org/security/2014/dsa-2940",
"refsource": "MISC",
"url": "http://www.debian.org/security/2014/dsa-2940"
},
{
"name": "http://www.ibm.com/support/docview.wss?uid=swg21675496",
"refsource": "MISC",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21675496"
},
{
"name": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095",
"refsource": "MISC",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
"refsource": "MISC",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"name": "http://www.securityfocus.com/bid/67121",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/67121"
},
{
"name": "https://access.redhat.com/errata/RHSA-2019:2995",
"refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2019:2995"
},
{
"name": "https://access.redhat.com/solutions/869353",
"refsource": "MISC",
"url": "https://access.redhat.com/solutions/869353"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665"
},
{
"name": "https://issues.apache.org/jira/browse/BEANUTILS-463",
"refsource": "MISC",
"url": "https://issues.apache.org/jira/browse/BEANUTILS-463"
},
{
"name": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "https://security.gentoo.org/glsa/201607-09",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/201607-09"
},
{
"name": "https://security.netapp.com/advisory/ntap-20140911-0001/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20140911-0001/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180629-0006/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20180629-0006/"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,1.9.1]",
"affected_versions": "All versions up to 1.9.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2019-06-15",
"description": "This package does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the `ActionForm` object in Struts ",
"fixed_versions": [
"1.9.2"
],
"identifier": "CVE-2014-0114",
"identifiers": [
"CVE-2014-0114"
],
"not_impacted": "All versions after 1.9.1",
"package_slug": "maven/commons-beanutils/commons-beanutils",
"pubdate": "2014-04-30",
"solution": "Upgrade to version 1.9.2 or above.",
"title": "Class Loader manipulation via request parameters",
"urls": [
"http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro",
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114",
"https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
],
"uuid": "dc5c6ffc-f1f7-494c-9c53-735bfc54215d"
},
{
"affected_range": "(1.0,1.3.10]",
"affected_versions": "All versions up to 1.3.10",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2019-06-15",
"description": "Apache Commons BeanUtils does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the `ActionForm` object in Struts ",
"fixed_versions": [],
"identifier": "CVE-2014-0114",
"identifiers": [
"CVE-2014-0114"
],
"not_impacted": "All versions before 1.0",
"package_slug": "maven/struts/struts",
"pubdate": "2014-04-30",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Improper Input Validation",
"urls": [
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114",
"https://bugzilla.redhat.com/show_bug.cgi?id=1091938",
"http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro"
],
"uuid": "5e123011-a07f-42bb-83e2-315733b05f18"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.9.1",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-0114"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938"
},
{
"name": "59704",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59704"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303"
},
{
"name": "https://issues.apache.org/jira/browse/BEANUTILS-463",
"refsource": "CONFIRM",
"tags": [],
"url": "https://issues.apache.org/jira/browse/BEANUTILS-463"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931"
},
{
"name": "59014",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59014"
},
{
"name": "https://access.redhat.com/solutions/869353",
"refsource": "CONFIRM",
"tags": [],
"url": "https://access.redhat.com/solutions/869353"
},
{
"name": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt",
"refsource": "CONFIRM",
"tags": [],
"url": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt"
},
{
"name": "[oss-security] 20140707 Re: CVE request for commons-beanutils: \u0027class\u0027 property is exposed, potentially leading to RCE",
"refsource": "MLIST",
"tags": [],
"url": "http://openwall.com/lists/oss-security/2014/07/08/1"
},
{
"name": "58851",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/58851"
},
{
"name": "[oss-security] 20140616 CVE request for commons-beanutils: \u0027class\u0027 property is exposed, potentially leading to RCE",
"refsource": "MLIST",
"tags": [],
"url": "http://openwall.com/lists/oss-security/2014/06/15/10"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"name": "60703",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/60703"
},
{
"name": "60177",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/60177"
},
{
"name": "FEDORA-2014-9380",
"refsource": "FEDORA",
"tags": [],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html"
},
{
"name": "DSA-2940",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2014/dsa-2940"
},
{
"name": "HPSBST03160",
"refsource": "HP",
"tags": [],
"url": "http://marc.info/?l=bugtraq\u0026m=141451023707502\u0026w=2"
},
{
"name": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
},
{
"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
"refsource": "FULLDISC",
"tags": [],
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091"
},
{
"name": "HPSBGN03041",
"refsource": "HP",
"tags": [],
"url": "http://marc.info/?l=bugtraq\u0026m=140119284401582\u0026w=2"
},
{
"name": "HPSBMU03090",
"refsource": "HP",
"tags": [],
"url": "http://marc.info/?l=bugtraq\u0026m=140801096002766\u0026w=2"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755",
"refsource": "CONFIRM",
"tags": [],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755"
},
{
"name": "67121",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/67121"
},
{
"name": "GLSA-201607-09",
"refsource": "GENTOO",
"tags": [],
"url": "https://security.gentoo.org/glsa/201607-09"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128"
},
{
"name": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html"
},
{
"name": "MDVSA-2014:095",
"refsource": "MANDRIVA",
"tags": [],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095"
},
{
"name": "http://www.ibm.com/support/docview.wss?uid=swg21675496",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.ibm.com/support/docview.wss?uid=swg21675496"
},
{
"name": "59718",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59718"
},
{
"name": "59480",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59480"
},
{
"name": "59479",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59479"
},
{
"name": "59464",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59464"
},
{
"name": "59430",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59430"
},
{
"name": "59246",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59246"
},
{
"name": "59245",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59245"
},
{
"name": "59228",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59228"
},
{
"name": "59118",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59118"
},
{
"name": "58947",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/58947"
},
{
"name": "58710",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/58710"
},
{
"name": "57477",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/57477"
},
{
"name": "http://advisories.mageia.org/MGASA-2014-0219.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://advisories.mageia.org/MGASA-2014-0219.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20140911-0001/",
"refsource": "CONFIRM",
"tags": [],
"url": "https://security.netapp.com/advisory/ntap-20140911-0001/"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "[apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114",
"refsource": "MLIST",
"tags": [],
"url": "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180629-0006/",
"refsource": "CONFIRM",
"tags": [],
"url": "https://security.netapp.com/advisory/ntap-20180629-0006/"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"name": "RHSA-2018:2669",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
},
{
"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
"refsource": "BUGTRAQ",
"tags": [],
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "CONFIRM",
"tags": [],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"tags": [],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"refsource": "MISC",
"tags": [],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"name": "RHSA-2019:2995",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2019:2995"
},
{
"name": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E",
"refsource": "MISC",
"tags": [],
"url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T00:32Z",
"publishedDate": "2014-04-30T10:49Z"
}
}
}
icsma-20-184-01
Vulnerability from csaf_cisa
Published
2020-07-02 00:00
Modified
2021-06-15 00:00
Summary
OpenClinic GA (Update B)
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information, and/or execute malicious code.
Critical infrastructure sectors
Healthcare and Public Health
Countries/areas deployed
Worldwide
Company headquarters location
Open-source
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Recommended Practices
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
{
"document": {
"acknowledgments": [
{
"names": [
"Brian D. Hysell"
],
"summary": "reporting these vulnerabilities to CISA"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information, and/or execute malicious code.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Healthcare and Public Health",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Open-source",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks:",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSMA-20-184-01 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsma-20-184-01.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSMA-20-184-01 Web Version",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-184-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ncas/tips/ST04-014"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "OpenClinic GA (Update B)",
"tracking": {
"current_release_date": "2021-06-15T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSMA-20-184-01",
"initial_release_date": "2020-07-02T00:00:00.000000Z",
"revision_history": [
{
"date": "2020-07-02T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSMA-20-184-01 OpenClinic GA"
},
{
"date": "2020-08-27T00:00:00.000000Z",
"legacy_version": "A",
"number": "2",
"summary": "ICSMA-20-184-01 OpenClinic GA (Update A)"
},
{
"date": "2021-06-15T00:00:00.000000Z",
"legacy_version": "B",
"number": "3",
"summary": "ICSMA-20-184-01 OpenClinic GA (Update B)"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "5.09.02",
"product": {
"name": "OpenClinic GA: Version 5.09.02",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "OpenClinic GA"
},
{
"branches": [
{
"category": "product_version",
"name": "5.89.05b",
"product": {
"name": "OpenClinic GA: Version 5.89.05b",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "OpenClinic GA"
}
],
"category": "vendor",
"name": "OpenClinic GA"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14485",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"notes": [
{
"category": "summary",
"text": "An attacker may bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries.CVE-2020-14485 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14485"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://sourceforge.net/projects/open-clinic/files/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2020-14484",
"cwe": {
"id": "CWE-307",
"name": "Improper Restriction of Excessive Authentication Attempts"
},
"notes": [
{
"category": "summary",
"text": "An attacker can bypass the system \u0027s account lockout protection, which may allow brute force password attacks.CVE-2020-14484 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14484"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://sourceforge.net/projects/open-clinic/files/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2020-14494",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "summary",
"text": "An authentication mechanism within the system does not contain sufficient complexity to protect against brute force attacks, which may allow unauthorized users to access the system after no more than a fixed maximum number of attempts.CVE-2020-14494 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14494"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://sourceforge.net/projects/open-clinic/files/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2020-14491",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "summary",
"text": "The system does not properly check permissions before executing SQL queries, which may allow a low-privilege user to access privileged information.CVE-2020-14491 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14491"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://sourceforge.net/projects/open-clinic/files/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2020-14488",
"cwe": {
"id": "CWE-250",
"name": "Execution with Unnecessary Privileges"
},
"notes": [
{
"category": "summary",
"text": "A low-privilege user may use SQL syntax to write arbitrary files to the server, which may allow the execution of arbitrary commands.CVE-2020-14493 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).CVE-2020-14488 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14488"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://sourceforge.net/projects/open-clinic/files/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2020-14490",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "summary",
"text": "The system does not properly verify uploaded files, which may allow a low-privilege user to upload and execute arbitrary files on the system.CVE-2020-14490 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14490"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://sourceforge.net/projects/open-clinic/files/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2020-14486",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The system includes arbitrary local files specified within its parameter and executes some files, which may allow disclosure of sensitive files or the execution of malicious uploaded files.CVE-2020-14486 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14486"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://sourceforge.net/projects/open-clinic/files/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2020-14492",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"notes": [
{
"category": "summary",
"text": "An attacker may bypass permission/authorization checks by ignoring the redirect of a permission failure, which may allow unauthorized execution of commands.CVE-2020-14492 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14492"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://sourceforge.net/projects/open-clinic/files/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2014-0114",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The system does not properly neutralize user-controllable input, which may allow the execution of malicious code within the user \u0027s browser.CVE-2014-0114, CVE-2016-1181, and CVE-2016-1182 are related to this vulnerability.A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1181"
},
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1182"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://sourceforge.net/projects/open-clinic/files/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2016-1181",
"cwe": {
"id": "CWE-1104",
"name": "Use of Unmaintained Third Party Components"
},
"notes": [
{
"category": "summary",
"text": "The system contains third-party software versions that are end-of-life and contain known vulnerabilities, which may allow remote code execution.CVE-2020-14489 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14489"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://sourceforge.net/projects/open-clinic/files/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2016-1182",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"notes": [
{
"category": "summary",
"text": "The system stores passwords using inadequate hashing complexity, which may allow an attacker to recover passwords using known password cracking techniques.CVE-2020-14487 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).\n",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14487"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://sourceforge.net/projects/open-clinic/files/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.