{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "A new image is available for Red Hat Single Sign-On 7.5.1, running on OpenShift Container Platform 3.10 and 3.11, and 4.9.\n\nRed Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Red Hat Single Sign-On is an integrated sign-on solution, available as a\nRed Hat JBoss Middleware for OpenShift containerized image. The Red Hat\nSingle Sign-On for OpenShift image provides an authentication server that\nyou can use to log in centrally, log out, and register. You can also manage\nuser accounts for web applications, mobile applications, and RESTful web\nservices.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.5.1 for\nuse within the OpenShift Container Platform 3.10, OpenShift Container Platform\n3.11, and within the OpenShift Container Platform 4.9 cloud computing Platform-as-a-Service (PaaS) for\non-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* resteasy-jaxrs: resteasy: Error message exposes endpoint class information (CVE-2021-20289)\n\n* keycloak-server-spi-private: ECP SAML binding bypasses authentication flows (CVE-2021-3827)\n\n* xmlsec: xml-security: XPath Transform abuse allows for information disclosure (CVE-2021-40690)\n\n* keycloak-services: Keycloak: Incorrect authorization allows unpriviledged users to create other users (CVE-2021-4133)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2022:0164",
            url: "https://access.redhat.com/errata/RHSA-2022:0164",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "1935927",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927",
         },
         {
            category: "external",
            summary: "2007512",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2007512",
         },
         {
            category: "external",
            summary: "2011190",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2011190",
         },
         {
            category: "external",
            summary: "2033602",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2033602",
         },
         {
            category: "external",
            summary: "CIAM-1169",
            url: "https://issues.redhat.com/browse/CIAM-1169",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0164.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 for OpenShift image security and enhancement update",
      tracking: {
         current_release_date: "2024-11-25T10:43:41+00:00",
         generator: {
            date: "2024-11-25T10:43:41+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.1",
            },
         },
         id: "RHSA-2022:0164",
         initial_release_date: "2022-01-18T14:52:40+00:00",
         revision_history: [
            {
               date: "2022-01-18T14:52:40+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2022-01-18T14:52:40+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-11-25T10:43:41+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Middleware Containers for OpenShift",
                        product: {
                           name: "Middleware Containers for OpenShift",
                           product_id: "8Base-RHOSE-Middleware",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:rhosemc:1.0::el8",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat OpenShift Enterprise",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
                        product: {
                           name: "rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
                           product_id: "rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
                           product_identification_helper: {
                              purl: "pkg:oci/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3?arch=amd64&repository_url=registry.redhat.io/rh-sso-7/sso75-openshift-rhel8&tag=7.5-15",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "amd64",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64 as a component of Middleware Containers for OpenShift",
               product_id: "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
            },
            product_reference: "rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
            relates_to_product_reference: "8Base-RHOSE-Middleware",
         },
      ],
   },
   vulnerabilities: [
      {
         acknowledgments: [
            {
               names: [
                  "Aaron Sachau",
               ],
               organization: "SRAM",
            },
         ],
         cve: "CVE-2021-3827",
         cwe: {
            id: "CWE-287",
            name: "Improper Authentication",
         },
         discovery_date: "2021-09-24T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2007512",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak-server-spi-private: ECP SAML binding bypasses authentication flows",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-3827",
            },
            {
               category: "external",
               summary: "RHBZ#2007512",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2007512",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-3827",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-3827",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3827",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3827",
            },
            {
               category: "external",
               summary: "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v",
               url: "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v",
            },
         ],
         release_date: "2021-09-02T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2022-01-18T14:52:40+00:00",
               details: "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift\nimage, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a\ncluster administrator or user with project administrator access\nto the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift\nin the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the\n\"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2022:0164",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.8,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "keycloak-server-spi-private: ECP SAML binding bypasses authentication flows",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Grzegorz Sobański",
               ],
               organization: "MLabs",
            },
         ],
         cve: "CVE-2021-4133",
         cwe: {
            id: "CWE-863",
            name: "Incorrect Authorization",
         },
         discovery_date: "2021-12-17T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2033602",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Keycloak version from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Keycloak: Incorrect authorization allows unpriviledged users to create other users",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This flaw affects only Red Hat Single Sign-on 7.5.0. Red Hat Single Sign-on 7.4.x releases are NOT affected. Fix is available for download from customer portal which can be applied on RH-SSO 7.5.0",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-4133",
            },
            {
               category: "external",
               summary: "RHBZ#2033602",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2033602",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-4133",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-4133",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-4133",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-4133",
            },
            {
               category: "external",
               summary: "https://github.com/keycloak/keycloak/issues/9247",
               url: "https://github.com/keycloak/keycloak/issues/9247",
            },
            {
               category: "external",
               summary: "https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487",
               url: "https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487",
            },
         ],
         release_date: "2021-12-16T17:05:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2022-01-18T14:52:40+00:00",
               details: "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift\nimage, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a\ncluster administrator or user with project administrator access\nto the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift\nin the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the\n\"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2022:0164",
            },
            {
               category: "workaround",
               details: "Access to the user-creation functionality in the REST endpoint can be deactivated using CLI commands in undertow.\nrun:\n\nbin/jboss-cli.sh --connect\n/subsystem=undertow/configuration=filter/expression-filter=keycloakPathOverrideUsersCreateEndpoint:add( \\\n  expression=\"(regex('^/auth/admin/realms/(.*)/users$') and method(POST))-> response-code(400)\" \\\n)\n/subsystem=undertow/server=default-server/host=default-host/filter-ref=keycloakPathOverrideUsersCreateEndpoint:add()",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 8.3,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "LOW",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "Keycloak: Incorrect authorization allows unpriviledged users to create other users",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Dirk Papenberg",
               ],
               organization: "NTT DATA Germany",
            },
         ],
         cve: "CVE-2021-20289",
         cwe: {
            id: "CWE-209",
            name: "Generation of Error Message Containing Sensitive Information",
         },
         discovery_date: "2021-03-05T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1935927",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "resteasy: Error message exposes endpoint class information",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-20289",
            },
            {
               category: "external",
               summary: "RHBZ#1935927",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-20289",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-20289",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-20289",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-20289",
            },
         ],
         release_date: "2021-03-03T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2022-01-18T14:52:40+00:00",
               details: "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift\nimage, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a\ncluster administrator or user with project administrator access\nto the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift\nin the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the\n\"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2022:0164",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "resteasy: Error message exposes endpoint class information",
      },
      {
         cve: "CVE-2021-40690",
         cwe: {
            id: "CWE-200",
            name: "Exposure of Sensitive Information to an Unauthorized Actor",
         },
         discovery_date: "2021-09-19T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2011190",
            },
         ],
         notes: [
            {
               category: "description",
               text: "All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the \"secureValidation\" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "xml-security: XPath Transform abuse allows for information disclosure",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Since OpenShift Container Platform (OCP) 4.7, the logging-elasticsearch6-container is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-40690",
            },
            {
               category: "external",
               summary: "RHBZ#2011190",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2011190",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-40690",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-40690",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-40690",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-40690",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E",
               url: "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E",
            },
         ],
         release_date: "2021-09-17T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2022-01-18T14:52:40+00:00",
               details: "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift\nimage, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a\ncluster administrator or user with project administrator access\nto the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift\nin the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the\n\"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2022:0164",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3_amd64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "xml-security: XPath Transform abuse allows for information disclosure",
      },
   ],
}

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "This advisory resolves CVE issues filed against XP2 releases that have been fixed in the underlying EAP 7.3.x base. There are no changes to the EAP XP2 code base.\n\nNOTE: This advisory is informational only. There are no code changes associated with it. No action is required.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "These are CVE issues filed against XP2 releases that have been fixed in the underlying EAP 7.3.x base. There are no changes to the EAP XP2 code base.\n\nSecurity Fix(es):\n\n* undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629)\n\n* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)\n\n* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users (CVE-2021-3717)\n\n* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck (CVE-2021-37714)\n\n* xml-security: XPath Transform abuse allows for information disclosure (CVE-2021-40690)\n\n* resteasy: Error message exposes endpoint class information (CVE-2021-20289)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2022:0146",
            url: "https://access.redhat.com/errata/RHSA-2022:0146",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#moderate",
            url: "https://access.redhat.com/security/updates/classification/#moderate",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/",
            url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/articles/5975301",
            url: "https://access.redhat.com/articles/5975301",
         },
         {
            category: "external",
            summary: "1935927",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927",
         },
         {
            category: "external",
            summary: "1977362",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1977362",
         },
         {
            category: "external",
            summary: "1981407",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1981407",
         },
         {
            category: "external",
            summary: "1991305",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991305",
         },
         {
            category: "external",
            summary: "1995259",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1995259",
         },
         {
            category: "external",
            summary: "2011190",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2011190",
         },
         {
            category: "external",
            summary: "JBEAP-22652",
            url: "https://issues.redhat.com/browse/JBEAP-22652",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0146.json",
         },
      ],
      title: "Red Hat Security Advisory: EAP XP 2 security update to CVE fixes in the EAP 7.3.x base",
      tracking: {
         current_release_date: "2025-03-16T05:27:35+00:00",
         generator: {
            date: "2025-03-16T05:27:35+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.4.1",
            },
         },
         id: "RHSA-2022:0146",
         initial_release_date: "2022-01-17T12:02:48+00:00",
         revision_history: [
            {
               date: "2022-01-17T12:02:48+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2022-01-17T12:02:48+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2025-03-16T05:27:35+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat EAP-XP 2 via EAP 7.3.x base",
                        product: {
                           name: "Red Hat EAP-XP 2 via EAP 7.3.x base",
                           product_id: "Red Hat EAP-XP 2 via EAP 7.3.x base",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:jbosseapxp",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat JBoss Enterprise Application Platform",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2021-3629",
         cwe: {
            id: "CWE-400",
            name: "Uncontrolled Resource Consumption",
         },
         discovery_date: "2021-04-06T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1977362",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "undertow: potential security issue in flow control over HTTP/2 may lead to DOS",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat EAP-XP 2 via EAP 7.3.x base",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-3629",
            },
            {
               category: "external",
               summary: "RHBZ#1977362",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1977362",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-3629",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-3629",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3629",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3629",
            },
         ],
         release_date: "2021-03-29T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2022-01-17T12:02:48+00:00",
               details: "This advisory is informational only. There are no code changes associated with it. No action is required.",
               product_ids: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2022:0146",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "undertow: potential security issue in flow control over HTTP/2 may lead to DOS",
      },
      {
         cve: "CVE-2021-3642",
         cwe: {
            id: "CWE-203",
            name: "Observable Discrepancy",
         },
         discovery_date: "2021-06-30T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1981407",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "wildfly-elytron: possible timing attack in ScramServer",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat EAP-XP 2 via EAP 7.3.x base",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-3642",
            },
            {
               category: "external",
               summary: "RHBZ#1981407",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1981407",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-3642",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-3642",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3642",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3642",
            },
         ],
         release_date: "2021-06-30T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2022-01-17T12:02:48+00:00",
               details: "This advisory is informational only. There are no code changes associated with it. No action is required.",
               product_ids: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2022:0146",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 3.1,
                  baseSeverity: "LOW",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "wildfly-elytron: possible timing attack in ScramServer",
      },
      {
         cve: "CVE-2021-3717",
         cwe: {
            id: "CWE-552",
            name: "Files or Directories Accessible to External Parties",
         },
         discovery_date: "2021-07-27T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1991305",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat EAP-XP 2 via EAP 7.3.x base",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-3717",
            },
            {
               category: "external",
               summary: "RHBZ#1991305",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991305",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-3717",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-3717",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3717",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3717",
            },
         ],
         release_date: "2021-08-18T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2022-01-17T12:02:48+00:00",
               details: "This advisory is informational only. There are no code changes associated with it. No action is required.",
               product_ids: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2022:0146",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Dirk Papenberg",
               ],
               organization: "NTT DATA Germany",
            },
         ],
         cve: "CVE-2021-20289",
         cwe: {
            id: "CWE-209",
            name: "Generation of Error Message Containing Sensitive Information",
         },
         discovery_date: "2021-03-05T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1935927",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "resteasy: Error message exposes endpoint class information",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat EAP-XP 2 via EAP 7.3.x base",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-20289",
            },
            {
               category: "external",
               summary: "RHBZ#1935927",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-20289",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-20289",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-20289",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-20289",
            },
         ],
         release_date: "2021-03-03T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2022-01-17T12:02:48+00:00",
               details: "This advisory is informational only. There are no code changes associated with it. No action is required.",
               product_ids: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2022:0146",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "resteasy: Error message exposes endpoint class information",
      },
      {
         cve: "CVE-2021-37714",
         cwe: {
            id: "CWE-400",
            name: "Uncontrolled Resource Consumption",
         },
         discovery_date: "2021-08-18T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1995259",
            },
         ],
         notes: [
            {
               category: "description",
               text: "jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat EAP-XP 2 via EAP 7.3.x base",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-37714",
            },
            {
               category: "external",
               summary: "RHBZ#1995259",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1995259",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-37714",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-37714",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-37714",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-37714",
            },
            {
               category: "external",
               summary: "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c",
               url: "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c",
            },
         ],
         release_date: "2021-08-18T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2022-01-17T12:02:48+00:00",
               details: "This advisory is informational only. There are no code changes associated with it. No action is required.",
               product_ids: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2022:0146",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck",
      },
      {
         cve: "CVE-2021-40690",
         cwe: {
            id: "CWE-200",
            name: "Exposure of Sensitive Information to an Unauthorized Actor",
         },
         discovery_date: "2021-09-19T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2011190",
            },
         ],
         notes: [
            {
               category: "description",
               text: "All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the \"secureValidation\" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "xml-security: XPath Transform abuse allows for information disclosure",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Since OpenShift Container Platform (OCP) 4.7, the logging-elasticsearch6-container is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat EAP-XP 2 via EAP 7.3.x base",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-40690",
            },
            {
               category: "external",
               summary: "RHBZ#2011190",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2011190",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-40690",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-40690",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-40690",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-40690",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E",
               url: "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E",
            },
         ],
         release_date: "2021-09-17T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2022-01-17T12:02:48+00:00",
               details: "This advisory is informational only. There are no code changes associated with it. No action is required.",
               product_ids: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2022:0146",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat EAP-XP 2 via EAP 7.3.x base",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "xml-security: XPath Transform abuse allows for information disclosure",
      },
   ],
}

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Red Hat AMQ Broker 7.9.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat AMQ Broker 7.9.0 serves as a replacement for Red Hat AMQ Broker 7.8.2, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* httpclient: apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* jetty: request containing multiple Accept headers with a large number of \"quality\" parameters may lead to DoS (CVE-2020-27223)\n\n* resteasy-jaxrs: resteasy: Error message exposes endpoint class information (CVE-2021-20289)\n\n* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)\n\n* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* jetty-server: jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)\n\n* jetty-server: jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)\n\n* jetty-server: jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)\n\n* jetty-server: jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169)\n\n* commons-io: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)\n\n* broker: Red Hat AMQ Broker: discloses JDBC username and password in the application log file (CVE-2021-3425)\n\n* jetty-server: jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428)\n\n* jetty-server: jetty: crafted URIs allow bypassing security constraints (CVE-2021-34429)\n\n* broker: AMQ Broker 7: Incorrect privilege in Management Console (CVE-2021-3763)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2021:3700",
            url: "https://access.redhat.com/errata/RHSA-2021:3700",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#moderate",
            url: "https://access.redhat.com/security/updates/classification/#moderate",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.9.0",
            url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.9.0",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/documentation/en-us/red_hat_amq/2021.q4",
            url: "https://access.redhat.com/documentation/en-us/red_hat_amq/2021.q4",
         },
         {
            category: "external",
            summary: "1886587",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1886587",
         },
         {
            category: "external",
            summary: "1927028",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1927028",
         },
         {
            category: "external",
            summary: "1934116",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934116",
         },
         {
            category: "external",
            summary: "1935927",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927",
         },
         {
            category: "external",
            summary: "1936629",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1936629",
         },
         {
            category: "external",
            summary: "1937364",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1937364",
         },
         {
            category: "external",
            summary: "1944888",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1944888",
         },
         {
            category: "external",
            summary: "1945710",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1945710",
         },
         {
            category: "external",
            summary: "1945712",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1945712",
         },
         {
            category: "external",
            summary: "1945714",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1945714",
         },
         {
            category: "external",
            summary: "1948752",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1948752",
         },
         {
            category: "external",
            summary: "1971016",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1971016",
         },
         {
            category: "external",
            summary: "1974891",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1974891",
         },
         {
            category: "external",
            summary: "1985223",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1985223",
         },
         {
            category: "external",
            summary: "2000654",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2000654",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3700.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat AMQ Broker 7.9.0 release and security update",
      tracking: {
         current_release_date: "2025-03-15T23:13:59+00:00",
         generator: {
            date: "2025-03-15T23:13:59+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.4.1",
            },
         },
         id: "RHSA-2021:3700",
         initial_release_date: "2021-09-30T09:57:35+00:00",
         revision_history: [
            {
               date: "2021-09-30T09:57:35+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2021-09-30T09:57:35+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2025-03-15T23:13:59+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat AMQ 7.9.0",
                        product: {
                           name: "Red Hat AMQ 7.9.0",
                           product_id: "Red Hat AMQ 7.9.0",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:amq_broker:7",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat JBoss AMQ",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2020-13956",
         cwe: {
            id: "CWE-20",
            name: "Improper Input Validation",
         },
         discovery_date: "2020-10-08T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1886587",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "apache-httpclient: incorrect handling of malformed authority component in request URIs",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "In OpenShift Container Platform (OCP) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable httpclient library to authenticated users only. Additionally the vulnerable httpclient library is not used directly in OCP components, therefore the impact by this vulnerability is Low.\nIn OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix.\n\nIn the Red Hat Enterprise Linux platforms, Maven 35 and 36 are affected via their respective `httpcomponents-client` component.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2020-13956",
            },
            {
               category: "external",
               summary: "RHBZ#1886587",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1886587",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2020-13956",
               url: "https://www.cve.org/CVERecord?id=CVE-2020-13956",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-13956",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2020-13956",
            },
            {
               category: "external",
               summary: "https://www.openwall.com/lists/oss-security/2020/10/08/4",
               url: "https://www.openwall.com/lists/oss-security/2020/10/08/4",
            },
         ],
         release_date: "2020-10-08T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "apache-httpclient: incorrect handling of malformed authority component in request URIs",
      },
      {
         cve: "CVE-2020-27223",
         cwe: {
            id: "CWE-400",
            name: "Uncontrolled Resource Consumption",
         },
         discovery_date: "2021-02-26T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1934116",
            },
         ],
         notes: [
            {
               category: "description",
               text: "In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jetty: request containing multiple Accept headers with a large number of \"quality\" parameters may lead to DoS",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2020-27223",
            },
            {
               category: "external",
               summary: "RHBZ#1934116",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1934116",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2020-27223",
               url: "https://www.cve.org/CVERecord?id=CVE-2020-27223",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-27223",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2020-27223",
            },
            {
               category: "external",
               summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7",
               url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7",
            },
         ],
         release_date: "2021-02-26T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jetty: request containing multiple Accept headers with a large number of \"quality\" parameters may lead to DoS",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Wai Chun Hui",
               ],
               organization: "Red Hat",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2021-3425",
         cwe: {
            id: "CWE-532",
            name: "Insertion of Sensitive Information into Log File",
         },
         discovery_date: "2021-03-08T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1936629",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the AMQ Broker that discloses JDBC encrypted usernames and passwords when provided in the AMQ Broker application logfile when using the jdbc persistence functionality. Versions shipped in Red Hat AMQ 7 are vulnerable.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Broker: discloses JDBC username and password in the application log file",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-3425",
            },
            {
               category: "external",
               summary: "RHBZ#1936629",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1936629",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-3425",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-3425",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3425",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3425",
            },
         ],
         release_date: "2021-03-08T20:30:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 4.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "Broker: discloses JDBC username and password in the application log file",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Mudassar Iqbal",
               ],
               organization: "Red Hat",
               summary: "This issue was discovered by Red Hat.",
            },
         ],
         cve: "CVE-2021-3763",
         cwe: {
            id: "CWE-863",
            name: "Incorrect Authorization",
         },
         discovery_date: "2021-06-24T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2000654",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the Red Hat AMQ Broker management console in version 7.8 where an existing user is able to access some limited information even when the role the user is assigned to should not be allow access to the management console. The main impact is to confidentiality as this flaw means some role bindings are incorrectly checked, some privileged meta information such as queue names and configuration details are disclosed but the impact is limited as not all information is accessible and there is no affect to integrity.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "7: Incorrect privilege in Management Console",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-3763",
            },
            {
               category: "external",
               summary: "RHBZ#2000654",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2000654",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-3763",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-3763",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3763",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3763",
            },
         ],
         release_date: "2021-08-24T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "7: Incorrect privilege in Management Console",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Dirk Papenberg",
               ],
               organization: "NTT DATA Germany",
            },
         ],
         cve: "CVE-2021-20289",
         cwe: {
            id: "CWE-209",
            name: "Generation of Error Message Containing Sensitive Information",
         },
         discovery_date: "2021-03-05T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1935927",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "resteasy: Error message exposes endpoint class information",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-20289",
            },
            {
               category: "external",
               summary: "RHBZ#1935927",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-20289",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-20289",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-20289",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-20289",
            },
         ],
         release_date: "2021-03-03T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "resteasy: Error message exposes endpoint class information",
      },
      {
         cve: "CVE-2021-21290",
         cwe: {
            id: "CWE-200",
            name: "Exposure of Sensitive Information to an Unauthorized Actor",
         },
         discovery_date: "2021-02-09T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1927028",
            },
         ],
         notes: [
            {
               category: "description",
               text: "In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "netty: Information disclosure via the local system temporary directory",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-21290",
            },
            {
               category: "external",
               summary: "RHBZ#1927028",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1927028",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-21290",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-21290",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21290",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21290",
            },
         ],
         release_date: "2021-02-09T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 6.2,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "netty: Information disclosure via the local system temporary directory",
      },
      {
         cve: "CVE-2021-21295",
         cwe: {
            id: "CWE-444",
            name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",
         },
         discovery_date: "2021-03-09T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1937364",
            },
         ],
         notes: [
            {
               category: "description",
               text: "In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "netty: possible request smuggling in HTTP/2 due missing validation",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-21295",
            },
            {
               category: "external",
               summary: "RHBZ#1937364",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1937364",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-21295",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-21295",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21295",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21295",
            },
            {
               category: "external",
               summary: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj",
               url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj",
            },
         ],
         release_date: "2021-03-09T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "netty: possible request smuggling in HTTP/2 due missing validation",
      },
      {
         cve: "CVE-2021-21409",
         cwe: {
            id: "CWE-444",
            name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",
         },
         discovery_date: "2021-03-30T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1944888",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "netty: Request smuggling via content-length header",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-21409",
            },
            {
               category: "external",
               summary: "RHBZ#1944888",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1944888",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-21409",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-21409",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
            },
            {
               category: "external",
               summary: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
               url: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
            },
         ],
         release_date: "2021-03-30T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "netty: Request smuggling via content-length header",
      },
      {
         cve: "CVE-2021-28163",
         cwe: {
            id: "CWE-200",
            name: "Exposure of Sensitive Information to an Unauthorized Actor",
         },
         discovery_date: "2021-04-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1945710",
            },
         ],
         notes: [
            {
               category: "description",
               text: "If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jetty: Symlink directory exposes webapp directory contents",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-28163",
            },
            {
               category: "external",
               summary: "RHBZ#1945710",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1945710",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-28163",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-28163",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28163",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28163",
            },
            {
               category: "external",
               summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq",
               url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq",
            },
         ],
         release_date: "2021-04-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 2.7,
                  baseSeverity: "LOW",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jetty: Symlink directory exposes webapp directory contents",
      },
      {
         cve: "CVE-2021-28164",
         cwe: {
            id: "CWE-200",
            name: "Exposure of Sensitive Information to an Unauthorized Actor",
         },
         discovery_date: "2021-04-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1945712",
            },
         ],
         notes: [
            {
               category: "description",
               text: "In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jetty: Ambiguous paths can access WEB-INF",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-28164",
            },
            {
               category: "external",
               summary: "RHBZ#1945712",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1945712",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-28164",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-28164",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28164",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28164",
            },
            {
               category: "external",
               summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5",
               url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5",
            },
         ],
         release_date: "2021-04-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jetty: Ambiguous paths can access WEB-INF",
      },
      {
         cve: "CVE-2021-28165",
         cwe: {
            id: "CWE-400",
            name: "Uncontrolled Resource Consumption",
         },
         discovery_date: "2021-04-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1945714",
            },
         ],
         notes: [
            {
               category: "description",
               text: "When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jetty: Resource exhaustion when receiving an invalid large TLS frame",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-28165",
            },
            {
               category: "external",
               summary: "RHBZ#1945714",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1945714",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-28165",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-28165",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28165",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28165",
            },
            {
               category: "external",
               summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w",
               url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w",
            },
         ],
         release_date: "2021-04-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jetty: Resource exhaustion when receiving an invalid large TLS frame",
      },
      {
         cve: "CVE-2021-28169",
         cwe: {
            id: "CWE-200",
            name: "Exposure of Sensitive Information to an Unauthorized Actor",
         },
         discovery_date: "2021-06-09T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1971016",
            },
         ],
         notes: [
            {
               category: "description",
               text: "For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this flaw because it does not ship the vulnerable components (ConcatServlet or WelcomeFilter) of jetty.\n\nRed Hat Enterprise Linux 8 is not affected by this flaw because it does not ship the vulnerable components (ConcatServlet or WelcomeFilter) of jetty.\n\nRed Hat Enterprise Linux 7 ships the vulnerable component of jetty, but only in the optional repository and thus this flaw is out of support scope for Red Hat Enterprise Linux 7.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-28169",
            },
            {
               category: "external",
               summary: "RHBZ#1971016",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1971016",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-28169",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-28169",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-28169",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-28169",
            },
         ],
         release_date: "2021-06-08T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory",
      },
      {
         cve: "CVE-2021-29425",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2021-04-12T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1948752",
            },
         ],
         notes: [
            {
               category: "description",
               text: "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "While the apache-commons-io package included in Red Hat Enterprise Linux 8 Maven App Stream contains the vulnerable code, it is not used in any way by Maven or other packages in this module.  This package is not an API component of Maven, thus the affected code can not be reached in any supported scenario.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-29425",
            },
            {
               category: "external",
               summary: "RHBZ#1948752",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1948752",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-29425",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-29425",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-29425",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-29425",
            },
         ],
         release_date: "2021-04-12T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.8,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6",
      },
      {
         cve: "CVE-2021-34428",
         cwe: {
            id: "CWE-613",
            name: "Insufficient Session Expiration",
         },
         discovery_date: "2021-06-22T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1974891",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was discovered in the jetty-server, where if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts, this could result in a session not being invalidated and a shared-computer application being left logged in. The highest threat from this vulnerability is to data confidentiality and integrity.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jetty: SessionListener can prevent a session from being invalidated breaking logout",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.\n\nOCP 3.11 is out of the support scope for Moderate and Low impact vulnerabilities because is already in the Maintenance Support phase, hence the affected OCP 3.11 component has been marked as wontifx.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-34428",
            },
            {
               category: "external",
               summary: "RHBZ#1974891",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1974891",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-34428",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-34428",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-34428",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-34428",
            },
            {
               category: "external",
               summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6",
               url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6",
            },
         ],
         release_date: "2021-06-22T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
            {
               category: "workaround",
               details: "Applications should catch all Throwables within their SessionListener#sessionDestroyed() implementations.",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "PHYSICAL",
                  availabilityImpact: "NONE",
                  baseScore: 3.5,
                  baseSeverity: "LOW",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "jetty: SessionListener can prevent a session from being invalidated breaking logout",
      },
      {
         cve: "CVE-2021-34429",
         cwe: {
            id: "CWE-200",
            name: "Exposure of Sensitive Information to an Unauthorized Actor",
         },
         discovery_date: "2021-07-23T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "1985223",
            },
         ],
         notes: [
            {
               category: "description",
               text: "For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jetty: crafted URIs allow bypassing security constraints",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "OCP 3.11 is out of the support scope for Moderate and Low impact vulnerabilities because is already in the Maintenance Support phase, hence the affected OCP 3.11 component has been marked as \"ooss\".\n\nRed Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "Red Hat AMQ 7.9.0",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2021-34429",
            },
            {
               category: "external",
               summary: "RHBZ#1985223",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1985223",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2021-34429",
               url: "https://www.cve.org/CVERecord?id=CVE-2021-34429",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-34429",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2021-34429",
            },
         ],
         release_date: "2021-07-15T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2021-09-30T09:57:35+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "Red Hat AMQ 7.9.0",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2021:3700",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "Red Hat AMQ 7.9.0",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jetty: crafted URIs allow bypassing security constraints",
      },
   ],
}