Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2021-31684
Vulnerability from cvelistv5
Published
2021-06-01 00:00
Modified
2024-08-03 23:03
Severity ?
EPSS score ?
Summary
A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.
References
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2021-31684", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-06-26T20:29:15.371021Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-26T20:29:24.586Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-03T23:03:33.688Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/netplex/json-smart-v1/issues/10", }, { tags: [ "x_transferred", ], url: "https://github.com/netplex/json-smart-v1/pull/11", }, { tags: [ "x_transferred", ], url: "https://github.com/netplex/json-smart-v2/issues/67", }, { tags: [ "x_transferred", ], url: "https://github.com/netplex/json-smart-v2/pull/68", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "[debian-lts-announce] 20230331 [SECURITY] [DLA 3373-1] json-smart security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-21T19:07:27.758330", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/netplex/json-smart-v1/issues/10", }, { url: "https://github.com/netplex/json-smart-v1/pull/11", }, { url: "https://github.com/netplex/json-smart-v2/issues/67", }, { url: "https://github.com/netplex/json-smart-v2/pull/68", }, { url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "[debian-lts-announce] 20230331 [SECURITY] [DLA 3373-1] json-smart security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html", }, { url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-31684", datePublished: "2021-06-01T00:00:00", dateReserved: "2021-04-23T00:00:00", dateUpdated: "2024-08-03T23:03:33.688Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:json-smart_project:json-smart-v1:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.3\", \"versionEndExcluding\": \"1.3.3\", \"matchCriteriaId\": \"A087629A-9D66-4991-8FC4-DD6B28F8A046\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:json-smart_project:json-smart-v2:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.4\", \"versionEndExcluding\": \"2.4.4\", \"matchCriteriaId\": \"4F757C16-6C4E-412F-8E75-95A83F1B68CC\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3F906F04-39E4-4BE4-8A73-9D058AAADB43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7B393A82-476A-4270-A903-38ED4169E431\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"85CAE52B-C2CA-4C6B-A0B7-2B9D6F0499E2\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.\"}, {\"lang\": \"es\", \"value\": \"Se ha detectado una vulnerabilidad en la funci\\u00f3n indexOf de JSONParserByteArray en versiones 1.3 y 2.4 de JSON Smart que causa una Denegaci\\u00f3n de Servicio (DOS) por medio de una petici\\u00f3n web dise\\u00f1ada\"}]", id: "CVE-2021-31684", lastModified: "2024-11-21T06:06:07.743", metrics: "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", published: "2021-06-01T20:15:08.480", references: "[{\"url\": \"https://github.com/netplex/json-smart-v1/issues/10\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/netplex/json-smart-v1/pull/11\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/netplex/json-smart-v2/issues/67\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/netplex/json-smart-v2/pull/68\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://github.com/netplex/json-smart-v1/issues/10\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/netplex/json-smart-v1/pull/11\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/netplex/json-smart-v2/issues/67\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/netplex/json-smart-v2/pull/68\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]", sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-787\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2021-31684\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-06-01T20:15:08.480\",\"lastModified\":\"2024-11-21T06:06:07.743\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado una vulnerabilidad en la función indexOf de JSONParserByteArray en versiones 1.3 y 2.4 de JSON Smart que causa una Denegación de Servicio (DOS) por medio de una petición web diseñada\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:json-smart_project:json-smart-v1:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3\",\"versionEndExcluding\":\"1.3.3\",\"matchCriteriaId\":\"A087629A-9D66-4991-8FC4-DD6B28F8A046\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:json-smart_project:json-smart-v2:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.4\",\"versionEndExcluding\":\"2.4.4\",\"matchCriteriaId\":\"4F757C16-6C4E-412F-8E75-95A83F1B68CC\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F906F04-39E4-4BE4-8A73-9D058AAADB43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B393A82-476A-4270-A903-38ED4169E431\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"85CAE52B-C2CA-4C6B-A0B7-2B9D6F0499E2\"}]}]}],\"references\":[{\"url\":\"https://github.com/netplex/json-smart-v1/issues/10\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/netplex/json-smart-v1/pull/11\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/netplex/json-smart-v2/issues/67\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/netplex/json-smart-v2/pull/68\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240621-0006/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/netplex/json-smart-v1/issues/10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/netplex/json-smart-v1/pull/11\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/netplex/json-smart-v2/issues/67\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/netplex/json-smart-v2/pull/68\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240621-0006/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/netplex/json-smart-v1/issues/10\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/netplex/json-smart-v1/pull/11\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/netplex/json-smart-v2/issues/67\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/netplex/json-smart-v2/pull/68\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html\", \"name\": \"[debian-lts-announce] 20230331 [SECURITY] [DLA 3373-1] json-smart security update\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T23:03:33.688Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-31684\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-26T20:29:15.371021Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-26T20:29:21.292Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://github.com/netplex/json-smart-v1/issues/10\"}, {\"url\": \"https://github.com/netplex/json-smart-v1/pull/11\"}, {\"url\": \"https://github.com/netplex/json-smart-v2/issues/67\"}, {\"url\": \"https://github.com/netplex/json-smart-v2/pull/68\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html\", \"name\": \"[debian-lts-announce] 20230331 [SECURITY] [DLA 3373-1] json-smart security update\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2024-06-21T19:07:27.758330\"}}}", cveMetadata: "{\"cveId\": \"CVE-2021-31684\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-03T23:03:33.688Z\", \"dateReserved\": \"2021-04-23T00:00:00\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2021-06-01T00:00:00\", \"assignerShortName\": \"mitre\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
WID-SEC-W-2023-1016
Vulnerability from csaf_certbund
Published
2023-04-18 22:00
Modified
2023-12-26 23:00
Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1016 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1016.json", }, { category: "self", summary: "WID-SEC-2023-1016 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1016", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2023 - Appendix Oracle Fusion Middleware vom 2023-04-18", url: "https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixFMW", }, { category: "external", summary: "Dell Security Advisory DSA-2023-409 vom 2023-12-23", url: "https://www.dell.com/support/kbdoc/000220669/dsa-2023-=", }, ], source_lang: "en-US", title: "Oracle Fusion Middleware: Mehrere Schwachstellen", tracking: { current_release_date: "2023-12-26T23:00:00.000+00:00", generator: { date: "2024-08-15T17:49:14.060+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1016", initial_release_date: "2023-04-18T22:00:00.000+00:00", revision_history: [ { date: "2023-04-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-12-26T23:00:00.000+00:00", number: "2", summary: "Neue Updates von Dell aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Fusion Middleware 12.2.1.3.0", product: { name: "Oracle Fusion Middleware 12.2.1.3.0", product_id: "618028", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:12.2.1.3.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 12.2.1.4.0", product: { name: "Oracle Fusion Middleware 12.2.1.4.0", product_id: "751674", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:12.2.1.4.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 14.1.1.0.0", product: { name: "Oracle Fusion Middleware 14.1.1.0.0", product_id: "829576", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:14.1.1.0.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 8.5.6", product: { name: "Oracle Fusion Middleware 8.5.6", product_id: "T024993", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:8.5.6", }, }, }, ], category: "product_name", name: "Fusion Middleware", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-22899", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-22899", }, { cve: "CVE-2023-21996", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21996", }, { cve: "CVE-2023-21979", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21979", }, { cve: "CVE-2023-21964", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21964", }, { cve: "CVE-2023-21960", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21960", }, { cve: "CVE-2023-21956", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21956", }, { cve: "CVE-2023-21931", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21931", }, { cve: "CVE-2022-46908", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-46908", }, { cve: "CVE-2022-45693", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-45693", }, { cve: "CVE-2022-45685", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-45685", }, { cve: "CVE-2022-45047", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-45047", }, { cve: "CVE-2022-43551", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-43551", }, { cve: "CVE-2022-42890", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-42890", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-40304", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-40304", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-40151", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-40151", }, { cve: "CVE-2022-40149", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-40149", }, { cve: "CVE-2022-37434", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-37434", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-34305", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-34305", }, { cve: "CVE-2022-33980", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-33980", }, { cve: "CVE-2022-31160", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-31160", }, { cve: "CVE-2022-29599", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-29599", }, { cve: "CVE-2022-22965", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-22965", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-37533", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-36090", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-36090", }, { cve: "CVE-2021-34798", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-34798", }, { cve: "CVE-2021-31684", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-31684", }, { cve: "CVE-2021-22569", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-22569", }, { cve: "CVE-2020-6950", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2020-6950", }, { cve: "CVE-2020-25638", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2020-25638", }, { cve: "CVE-2020-13954", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2020-13954", }, { cve: "CVE-2019-20916", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2019-20916", }, { cve: "CVE-2018-14371", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2018-14371", }, ], }
WID-SEC-W-2024-0257
Vulnerability from csaf_certbund
Published
2024-01-30 23:00
Modified
2024-02-01 23:00
Summary
IBM QRadar SIEM User Behavior Analytics: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM QRadar Security Information and Event Management (SIEM) bietet Unterstützung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.
Angriff
Ein anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics ausnutzen, um einen Denial-of-Service-Zustand herbeizuführen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM QRadar Security Information and Event Management (SIEM) bietet Unterstützung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics ausnutzen, um einen Denial-of-Service-Zustand herbeizuführen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0257 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0257.json", }, { category: "self", summary: "WID-SEC-2024-0257 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0257", }, { category: "external", summary: "IBM Security Bulletin vom 2024-01-30", url: "https://www.ibm.com/support/pages/node/7112498", }, ], source_lang: "en-US", title: "IBM QRadar SIEM User Behavior Analytics: Mehrere Schwachstellen", tracking: { current_release_date: "2024-02-01T23:00:00.000+00:00", generator: { date: "2024-08-15T18:04:41.191+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0257", initial_release_date: "2024-01-30T23:00:00.000+00:00", revision_history: [ { date: "2024-01-30T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-02-01T23:00:00.000+00:00", number: "2", summary: "Produkt angepasst", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "IBM QRadar SIEM User Behavior Analytics < 4.1.14", product: { name: "IBM QRadar SIEM User Behavior Analytics < 4.1.14", product_id: "T032482", product_identification_helper: { cpe: "cpe:/a:ibm:qradar_siem:user_behavior_analytics__4.1.14", }, }, }, ], category: "vendor", name: "IBM", }, ], }, vulnerabilities: [ { cve: "CVE-2023-31484", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2023-31484", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2021-4048", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-4048", }, { cve: "CVE-2021-31684", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-31684", }, { cve: "CVE-2021-23445", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-23445", }, ], }
WID-SEC-W-2023-2700
Vulnerability from csaf_certbund
Published
2023-10-17 22:00
Modified
2023-12-12 23:00
Summary
Atlassian Confluence: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Confluence ist eine kommerzielle Wiki-Software.
Jira ist eine Webanwendung zur Softwareentwicklung.
Bitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle.
Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "kritisch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Confluence ist eine kommerzielle Wiki-Software.\r\nJira ist eine Webanwendung zur Softwareentwicklung.\r\nBitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle.\r\nBamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-2700 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2700.json", }, { category: "self", summary: "WID-SEC-2023-2700 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2700", }, { category: "external", summary: "Atlassian Security Update vom 2023-10-17", url: "https://confluence.atlassian.com/security/security-bulletin-october-17-2023-1299929380.html", }, { category: "external", summary: "Atlassian Security Bulletin December 12 2023 vom 2023-12-12", url: "https://confluence.atlassian.com/security/security-bulletin-december-12-2023-1319249520.html", }, ], source_lang: "en-US", title: "Atlassian Confluence: Mehrere Schwachstellen", tracking: { current_release_date: "2023-12-12T23:00:00.000+00:00", generator: { date: "2024-08-15T18:00:13.228+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-2700", initial_release_date: "2023-10-17T22:00:00.000+00:00", revision_history: [ { date: "2023-10-17T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-12-12T23:00:00.000+00:00", number: "2", summary: "Neue Updates aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Atlassian Bamboo < 9.2.7", product: { name: "Atlassian Bamboo < 9.2.7", product_id: "1529586", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.7", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.2.5 Data Center and Server", product: { name: "Atlassian Bamboo < 9.2.5 Data Center and Server", product_id: "T030667", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.5_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.1 Data Center and Server", product: { name: "Atlassian Bamboo < 9.3.1 Data Center and Server", product_id: "T030668", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.1_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.3 Data Center and Server", product: { name: "Atlassian Bamboo < 9.3.3 Data Center and Server", product_id: "T030669", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.3_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.5", product: { name: "Atlassian Bamboo < 9.3.5", product_id: "T031324", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.5", }, }, }, ], category: "product_name", name: "Bamboo", }, { branches: [ { category: "product_name", name: "Atlassian Bitbucket < 8.13.1 Data Center and Server", product: { name: "Atlassian Bitbucket < 8.13.1 Data Center and Server", product_id: "T030666", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.13.1_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 7.21.18", product: { name: "Atlassian Bitbucket < 7.21.18", product_id: "T031325", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:7.21.18", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.9.7", product: { name: "Atlassian Bitbucket < 8.9.7", product_id: "T031614", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.9.7", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.11.6", product: { name: "Atlassian Bitbucket < 8.11.6", product_id: "T031615", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.11.6", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.12.4", product: { name: "Atlassian Bitbucket < 8.12.4", product_id: "T031616", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.12.4", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.13.3", product: { name: "Atlassian Bitbucket < 8.13.3", product_id: "T031617", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.13.3", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.14.2", product: { name: "Atlassian Bitbucket < 8.14.2", product_id: "T031618", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.14.2", }, }, }, ], category: "product_name", name: "Bitbucket", }, { branches: [ { category: "product_name", name: "Atlassian Confluence < 8.3.3 Server and Data Center", product: { name: "Atlassian Confluence < 8.3.3 Server and Data Center", product_id: "T030660", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.3.3_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.5.2 Server and Data Center", product: { name: "Atlassian Confluence < 8.5.2 Server and Data Center", product_id: "T030662", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.5.2_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.4.3 Server and Data Center", product: { name: "Atlassian Confluence < 8.4.3 Server and Data Center", product_id: "T030663", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.4.3_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.3.4", product: { name: "Atlassian Confluence < 8.3.4", product_id: "T030846", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.3.4", }, }, }, { category: "product_name", name: "Atlassian Confluence < 7.19.17", product: { name: "Atlassian Confluence < 7.19.17", product_id: "T031609", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:7.19.17", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.4.5", product: { name: "Atlassian Confluence < 8.4.5", product_id: "T031610", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.4.5", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.5.4", product: { name: "Atlassian Confluence < 8.5.4", product_id: "T031611", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.5.4", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.6.2", product: { name: "Atlassian Confluence < 8.6.2", product_id: "T031612", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.6.2", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.7.1", product: { name: "Atlassian Confluence < 8.7.1", product_id: "T031613", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.7.1", }, }, }, ], category: "product_name", name: "Confluence", }, { branches: [ { category: "product_name", name: "Atlassian Jira Software < 4.20.27 Service Management Data Center and Server", product: { name: "Atlassian Jira Software < 4.20.27 Service Management Data Center and Server", product_id: "T030664", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:4.20.27_service_management_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Jira Software < 5.4.11 Service Management Data Center and Server", product: { name: "Atlassian Jira Software < 5.4.11 Service Management Data Center and Server", product_id: "T030665", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:5.4.11_service_management_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Jira Software < 9.4.13", product: { name: "Atlassian Jira Software < 9.4.13", product_id: "T031606", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:9.4.13", }, }, }, { category: "product_name", name: "Atlassian Jira Software Service Management < 4.20.28", product: { name: "Atlassian Jira Software Service Management < 4.20.28", product_id: "T031607", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:service_management__4.20.28", }, }, }, { category: "product_name", name: "Atlassian Jira Software Service Management < 5.4.12", product: { name: "Atlassian Jira Software Service Management < 5.4.12", product_id: "T031608", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:service_management__5.4.12", }, }, }, ], category: "product_name", name: "Jira Software", }, ], category: "vendor", name: "Atlassian", }, ], }, vulnerabilities: [ { cve: "CVE-2023-28709", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-28709", }, { cve: "CVE-2023-25194", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-25194", }, { cve: "CVE-2023-22515", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22515", }, { cve: "CVE-2023-22514", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22514", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-45685", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-45685", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41906", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-41906", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-3509", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-3509", }, { cve: "CVE-2022-3171", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-3171", }, { cve: "CVE-2022-25647", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-25647", }, { cve: "CVE-2021-46877", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-46877", }, { cve: "CVE-2021-31684", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-31684", }, { cve: "CVE-2021-22569", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-22569", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-13936", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2020-13936", }, { cve: "CVE-2019-13990", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2019-13990", }, ], }
wid-sec-w-2024-0257
Vulnerability from csaf_certbund
Published
2024-01-30 23:00
Modified
2024-02-01 23:00
Summary
IBM QRadar SIEM User Behavior Analytics: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM QRadar Security Information and Event Management (SIEM) bietet Unterstützung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.
Angriff
Ein anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics ausnutzen, um einen Denial-of-Service-Zustand herbeizuführen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM QRadar Security Information and Event Management (SIEM) bietet Unterstützung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics ausnutzen, um einen Denial-of-Service-Zustand herbeizuführen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0257 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0257.json", }, { category: "self", summary: "WID-SEC-2024-0257 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0257", }, { category: "external", summary: "IBM Security Bulletin vom 2024-01-30", url: "https://www.ibm.com/support/pages/node/7112498", }, ], source_lang: "en-US", title: "IBM QRadar SIEM User Behavior Analytics: Mehrere Schwachstellen", tracking: { current_release_date: "2024-02-01T23:00:00.000+00:00", generator: { date: "2024-08-15T18:04:41.191+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0257", initial_release_date: "2024-01-30T23:00:00.000+00:00", revision_history: [ { date: "2024-01-30T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-02-01T23:00:00.000+00:00", number: "2", summary: "Produkt angepasst", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "IBM QRadar SIEM User Behavior Analytics < 4.1.14", product: { name: "IBM QRadar SIEM User Behavior Analytics < 4.1.14", product_id: "T032482", product_identification_helper: { cpe: "cpe:/a:ibm:qradar_siem:user_behavior_analytics__4.1.14", }, }, }, ], category: "vendor", name: "IBM", }, ], }, vulnerabilities: [ { cve: "CVE-2023-31484", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2023-31484", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2021-4048", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-4048", }, { cve: "CVE-2021-31684", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-31684", }, { cve: "CVE-2021-23445", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-23445", }, ], }
wid-sec-w-2023-1016
Vulnerability from csaf_certbund
Published
2023-04-18 22:00
Modified
2023-12-26 23:00
Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1016 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1016.json", }, { category: "self", summary: "WID-SEC-2023-1016 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1016", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2023 - Appendix Oracle Fusion Middleware vom 2023-04-18", url: "https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixFMW", }, { category: "external", summary: "Dell Security Advisory DSA-2023-409 vom 2023-12-23", url: "https://www.dell.com/support/kbdoc/000220669/dsa-2023-=", }, ], source_lang: "en-US", title: "Oracle Fusion Middleware: Mehrere Schwachstellen", tracking: { current_release_date: "2023-12-26T23:00:00.000+00:00", generator: { date: "2024-08-15T17:49:14.060+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1016", initial_release_date: "2023-04-18T22:00:00.000+00:00", revision_history: [ { date: "2023-04-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-12-26T23:00:00.000+00:00", number: "2", summary: "Neue Updates von Dell aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Fusion Middleware 12.2.1.3.0", product: { name: "Oracle Fusion Middleware 12.2.1.3.0", product_id: "618028", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:12.2.1.3.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 12.2.1.4.0", product: { name: "Oracle Fusion Middleware 12.2.1.4.0", product_id: "751674", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:12.2.1.4.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 14.1.1.0.0", product: { name: "Oracle Fusion Middleware 14.1.1.0.0", product_id: "829576", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:14.1.1.0.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 8.5.6", product: { name: "Oracle Fusion Middleware 8.5.6", product_id: "T024993", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:8.5.6", }, }, }, ], category: "product_name", name: "Fusion Middleware", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-22899", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-22899", }, { cve: "CVE-2023-21996", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21996", }, { cve: "CVE-2023-21979", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21979", }, { cve: "CVE-2023-21964", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21964", }, { cve: "CVE-2023-21960", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21960", }, { cve: "CVE-2023-21956", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21956", }, { cve: "CVE-2023-21931", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-21931", }, { cve: "CVE-2022-46908", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-46908", }, { cve: "CVE-2022-45693", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-45693", }, { cve: "CVE-2022-45685", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-45685", }, { cve: "CVE-2022-45047", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-45047", }, { cve: "CVE-2022-43551", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-43551", }, { cve: "CVE-2022-42890", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-42890", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-40304", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-40304", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-40151", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-40151", }, { cve: "CVE-2022-40149", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-40149", }, { cve: "CVE-2022-37434", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-37434", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-34305", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-34305", }, { cve: "CVE-2022-33980", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-33980", }, { cve: "CVE-2022-31160", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-31160", }, { cve: "CVE-2022-29599", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-29599", }, { cve: "CVE-2022-22965", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-22965", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-37533", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-36090", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-36090", }, { cve: "CVE-2021-34798", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-34798", }, { cve: "CVE-2021-31684", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-31684", }, { cve: "CVE-2021-22569", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-22569", }, { cve: "CVE-2020-6950", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2020-6950", }, { cve: "CVE-2020-25638", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2020-25638", }, { cve: "CVE-2020-13954", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2020-13954", }, { cve: "CVE-2019-20916", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2019-20916", }, { cve: "CVE-2018-14371", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T024993", "618028", "751674", "829576", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2018-14371", }, ], }
wid-sec-w-2023-2700
Vulnerability from csaf_certbund
Published
2023-10-17 22:00
Modified
2023-12-12 23:00
Summary
Atlassian Confluence: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Confluence ist eine kommerzielle Wiki-Software.
Jira ist eine Webanwendung zur Softwareentwicklung.
Bitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle.
Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "kritisch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Confluence ist eine kommerzielle Wiki-Software.\r\nJira ist eine Webanwendung zur Softwareentwicklung.\r\nBitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle.\r\nBamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-2700 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2700.json", }, { category: "self", summary: "WID-SEC-2023-2700 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2700", }, { category: "external", summary: "Atlassian Security Update vom 2023-10-17", url: "https://confluence.atlassian.com/security/security-bulletin-october-17-2023-1299929380.html", }, { category: "external", summary: "Atlassian Security Bulletin December 12 2023 vom 2023-12-12", url: "https://confluence.atlassian.com/security/security-bulletin-december-12-2023-1319249520.html", }, ], source_lang: "en-US", title: "Atlassian Confluence: Mehrere Schwachstellen", tracking: { current_release_date: "2023-12-12T23:00:00.000+00:00", generator: { date: "2024-08-15T18:00:13.228+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-2700", initial_release_date: "2023-10-17T22:00:00.000+00:00", revision_history: [ { date: "2023-10-17T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-12-12T23:00:00.000+00:00", number: "2", summary: "Neue Updates aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Atlassian Bamboo < 9.2.7", product: { name: "Atlassian Bamboo < 9.2.7", product_id: "1529586", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.7", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.2.5 Data Center and Server", product: { name: "Atlassian Bamboo < 9.2.5 Data Center and Server", product_id: "T030667", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.5_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.1 Data Center and Server", product: { name: "Atlassian Bamboo < 9.3.1 Data Center and Server", product_id: "T030668", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.1_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.3 Data Center and Server", product: { name: "Atlassian Bamboo < 9.3.3 Data Center and Server", product_id: "T030669", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.3_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.5", product: { name: "Atlassian Bamboo < 9.3.5", product_id: "T031324", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.5", }, }, }, ], category: "product_name", name: "Bamboo", }, { branches: [ { category: "product_name", name: "Atlassian Bitbucket < 8.13.1 Data Center and Server", product: { name: "Atlassian Bitbucket < 8.13.1 Data Center and Server", product_id: "T030666", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.13.1_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 7.21.18", product: { name: "Atlassian Bitbucket < 7.21.18", product_id: "T031325", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:7.21.18", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.9.7", product: { name: "Atlassian Bitbucket < 8.9.7", product_id: "T031614", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.9.7", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.11.6", product: { name: "Atlassian Bitbucket < 8.11.6", product_id: "T031615", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.11.6", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.12.4", product: { name: "Atlassian Bitbucket < 8.12.4", product_id: "T031616", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.12.4", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.13.3", product: { name: "Atlassian Bitbucket < 8.13.3", product_id: "T031617", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.13.3", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.14.2", product: { name: "Atlassian Bitbucket < 8.14.2", product_id: "T031618", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.14.2", }, }, }, ], category: "product_name", name: "Bitbucket", }, { branches: [ { category: "product_name", name: "Atlassian Confluence < 8.3.3 Server and Data Center", product: { name: "Atlassian Confluence < 8.3.3 Server and Data Center", product_id: "T030660", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.3.3_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.5.2 Server and Data Center", product: { name: "Atlassian Confluence < 8.5.2 Server and Data Center", product_id: "T030662", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.5.2_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.4.3 Server and Data Center", product: { name: "Atlassian Confluence < 8.4.3 Server and Data Center", product_id: "T030663", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.4.3_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.3.4", product: { name: "Atlassian Confluence < 8.3.4", product_id: "T030846", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.3.4", }, }, }, { category: "product_name", name: "Atlassian Confluence < 7.19.17", product: { name: "Atlassian Confluence < 7.19.17", product_id: "T031609", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:7.19.17", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.4.5", product: { name: "Atlassian Confluence < 8.4.5", product_id: "T031610", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.4.5", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.5.4", product: { name: "Atlassian Confluence < 8.5.4", product_id: "T031611", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.5.4", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.6.2", product: { name: "Atlassian Confluence < 8.6.2", product_id: "T031612", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.6.2", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.7.1", product: { name: "Atlassian Confluence < 8.7.1", product_id: "T031613", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.7.1", }, }, }, ], category: "product_name", name: "Confluence", }, { branches: [ { category: "product_name", name: "Atlassian Jira Software < 4.20.27 Service Management Data Center and Server", product: { name: "Atlassian Jira Software < 4.20.27 Service Management Data Center and Server", product_id: "T030664", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:4.20.27_service_management_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Jira Software < 5.4.11 Service Management Data Center and Server", product: { name: "Atlassian Jira Software < 5.4.11 Service Management Data Center and Server", product_id: "T030665", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:5.4.11_service_management_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Jira Software < 9.4.13", product: { name: "Atlassian Jira Software < 9.4.13", product_id: "T031606", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:9.4.13", }, }, }, { category: "product_name", name: "Atlassian Jira Software Service Management < 4.20.28", product: { name: "Atlassian Jira Software Service Management < 4.20.28", product_id: "T031607", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:service_management__4.20.28", }, }, }, { category: "product_name", name: "Atlassian Jira Software Service Management < 5.4.12", product: { name: "Atlassian Jira Software Service Management < 5.4.12", product_id: "T031608", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:service_management__5.4.12", }, }, }, ], category: "product_name", name: "Jira Software", }, ], category: "vendor", name: "Atlassian", }, ], }, vulnerabilities: [ { cve: "CVE-2023-28709", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-28709", }, { cve: "CVE-2023-25194", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-25194", }, { cve: "CVE-2023-22515", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22515", }, { cve: "CVE-2023-22514", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22514", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-45685", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-45685", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41906", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-41906", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-3509", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-3509", }, { cve: "CVE-2022-3171", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-3171", }, { cve: "CVE-2022-25647", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-25647", }, { cve: "CVE-2021-46877", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-46877", }, { cve: "CVE-2021-31684", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-31684", }, { cve: "CVE-2021-22569", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-22569", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-13936", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2020-13936", }, { cve: "CVE-2019-13990", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2019-13990", }, ], }
rhsa-2022_8652
Vulnerability from csaf_redhat
Published
2022-11-28 14:39
Modified
2024-12-18 00:37
Summary
Red Hat Security Advisory: Red Hat Fuse 7.11.1 release and security update
Notes
Topic
A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* hsqldb: Untrusted input may lead to RCE attack [fuse-7] (CVE-2022-41853)
* io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)
* io.hawt-project: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)
* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users [fuse-7] (CVE-2021-3717)
* json-smart: Denial of Service in JSONParserByteArray function [fuse-7] (CVE-2021-31684)
* io.hawt-hawtio-integration: minimist: prototype pollution [fuse-7] (CVE-2021-44906)
* urijs: Authorization Bypass Through User-Controlled Key [fuse-7] (CVE-2022-0613)
* http2-server: Invalid HTTP/2 requests cause DoS [fuse-7] (CVE-2022-2048)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections [fuse-7] (CVE-2022-25857)
* urijs: Leading white space bypasses protocol validation [fuse-7] (CVE-2022-24723)
* Moment.js: Path traversal in moment.locale [fuse-7] (CVE-2022-24785)
* netty: world readable temporary file containing sensitive data [fuse-7] (CVE-2022-24823)
* jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [fuse-7] (CVE-2022-31197)
* commons-configuration2: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults [fuse-7] (CVE-2022-33980)
* commons-text: apache-commons-text: variable interpolation RCE [fuse-7] (CVE-2022-42889)
* undertow: Large AJP request may cause DoS [fuse-7] (CVE-2022-2053)
* moment: inefficient parsing algorithm resulting in DoS [fuse-7] (CVE-2022-31129)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode [fuse-7] (CVE-2022-38749)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nSecurity Fix(es):\n\n* hsqldb: Untrusted input may lead to RCE attack [fuse-7] (CVE-2022-41853)\n\n* io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)\n\n* io.hawt-project: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)\n\n* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users [fuse-7] (CVE-2021-3717)\n\n* json-smart: Denial of Service in JSONParserByteArray function [fuse-7] (CVE-2021-31684)\n\n* io.hawt-hawtio-integration: minimist: prototype pollution [fuse-7] (CVE-2021-44906)\n\n* urijs: Authorization Bypass Through User-Controlled Key [fuse-7] (CVE-2022-0613)\n\n* http2-server: Invalid HTTP/2 requests cause DoS [fuse-7] (CVE-2022-2048)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections [fuse-7] (CVE-2022-25857)\n\n* urijs: Leading white space bypasses protocol validation [fuse-7] (CVE-2022-24723)\n\n* Moment.js: Path traversal in moment.locale [fuse-7] (CVE-2022-24785)\n\n* netty: world readable temporary file containing sensitive data [fuse-7] (CVE-2022-24823)\n\n* jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [fuse-7] (CVE-2022-31197)\n\n* commons-configuration2: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults [fuse-7] (CVE-2022-33980)\n\n* commons-text: apache-commons-text: variable interpolation RCE [fuse-7] (CVE-2022-42889)\n\n* undertow: Large AJP request may cause DoS [fuse-7] (CVE-2022-2053)\n\n* moment: inefficient parsing algorithm resulting in DoS [fuse-7] (CVE-2022-31129)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode [fuse-7] (CVE-2022-38749)\n\nFor more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2022:8652", url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1686454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1686454", }, { category: "external", summary: "1991305", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991305", }, { category: "external", summary: "2055496", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2055496", }, { category: "external", summary: "2062370", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2062370", }, { category: "external", summary: "2066009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", }, { category: "external", summary: "2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "2095862", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2095862", }, { category: "external", summary: "2102695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2102695", }, { category: "external", summary: "2105067", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105067", }, { category: "external", summary: "2105075", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105075", }, { category: "external", summary: "2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8652.json", }, ], title: "Red Hat Security Advisory: Red Hat Fuse 7.11.1 release and security update", tracking: { current_release_date: "2024-12-18T00:37:36+00:00", generator: { date: "2024-12-18T00:37:36+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2022:8652", initial_release_date: "2022-11-28T14:39:27+00:00", revision_history: [ { date: "2022-11-28T14:39:27+00:00", number: "1", summary: "Initial version", }, { date: "2022-11-28T14:39:27+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-18T00:37:36+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Fuse 7.11.1", product: { name: "Red Hat Fuse 7.11.1", product_id: "Red Hat Fuse 7.11.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2019-8331", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2019-02-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1686454", }, ], notes: [ { category: "description", text: "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.", title: "Vulnerability description", }, { category: "summary", text: "bootstrap: XSS in the tooltip or popover data-template attribute", title: "Vulnerability summary", }, { category: "other", text: "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don't use the vulnerable component at all.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-8331", }, { category: "external", summary: "RHBZ#1686454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1686454", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-8331", url: "https://www.cve.org/CVERecord?id=CVE-2019-8331", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-8331", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-8331", }, ], release_date: "2019-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bootstrap: XSS in the tooltip or popover data-template attribute", }, { cve: "CVE-2021-3717", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2021-07-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1991305", }, ], notes: [ { category: "description", text: "A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability.", title: "Vulnerability description", }, { category: "summary", text: "wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-3717", }, { category: "external", summary: "RHBZ#1991305", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991305", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-3717", url: "https://www.cve.org/CVERecord?id=CVE-2021-3717", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3717", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3717", }, ], release_date: "2021-08-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users", }, { cve: "CVE-2021-31684", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-06-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2102695", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package in the JSONParserByteArray. This flaw allows an attacker to cause a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Denial of Service in JSONParserByteArray function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-31684", }, { category: "external", summary: "RHBZ#2102695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2102695", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-31684", url: "https://www.cve.org/CVERecord?id=CVE-2021-31684", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-31684", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31684", }, ], release_date: "2021-06-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-smart: Denial of Service in JSONParserByteArray function", }, { cve: "CVE-2021-44906", cwe: { id: "CWE-1321", name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", }, discovery_date: "2022-03-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2066009", }, ], notes: [ { category: "description", text: "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.", title: "Vulnerability description", }, { category: "summary", text: "minimist: prototype pollution", title: "Vulnerability summary", }, { category: "other", text: "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-44906", }, { category: "external", summary: "RHBZ#2066009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-44906", url: "https://www.cve.org/CVERecord?id=CVE-2021-44906", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", }, { category: "external", summary: "https://github.com/advisories/GHSA-xvch-5gv4-984h", url: "https://github.com/advisories/GHSA-xvch-5gv4-984h", }, ], release_date: "2022-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "minimist: prototype pollution", }, { cve: "CVE-2022-0613", cwe: { id: "CWE-639", name: "Authorization Bypass Through User-Controlled Key", }, discovery_date: "2022-02-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2055496", }, ], notes: [ { category: "description", text: "A flaw was found in urijs due to the fix of CVE-2021-3647 not considering case-sensitive protocol schemes in the URL. This issue allows attackers to bypass the patch.", title: "Vulnerability description", }, { category: "summary", text: "urijs: Authorization Bypass Through User-Controlled Key", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-0613", }, { category: "external", summary: "RHBZ#2055496", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2055496", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-0613", url: "https://www.cve.org/CVERecord?id=CVE-2022-0613", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-0613", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-0613", }, ], release_date: "2022-02-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "urijs: Authorization Bypass Through User-Controlled Key", }, { cve: "CVE-2022-2048", cwe: { id: "CWE-410", name: "Insufficient Resource Pool", }, discovery_date: "2022-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2116952", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.", title: "Vulnerability description", }, { category: "summary", text: "http2-server: Invalid HTTP/2 requests cause DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-2048", }, { category: "external", summary: "RHBZ#2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-2048", url: "https://www.cve.org/CVERecord?id=CVE-2022-2048", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", }, { category: "external", summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", }, ], release_date: "2022-07-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "http2-server: Invalid HTTP/2 requests cause DoS", }, { cve: "CVE-2022-2053", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2022-06-10T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2095862", }, ], notes: [ { category: "description", text: "A flaw was found in Undertow. AJP requests to the server may allow an attacker to send a malicious request and trigger server errors, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Large AJP request may cause DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 is now in Maintenance Support Phase and is marked Fixed. However, Red Hat Fuse Online does not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-2053", }, { category: "external", summary: "RHBZ#2095862", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2095862", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-2053", url: "https://www.cve.org/CVERecord?id=CVE-2022-2053", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-2053", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-2053", }, ], release_date: "2022-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "undertow: Large AJP request may cause DoS", }, { cve: "CVE-2022-24723", cwe: { id: "CWE-1173", name: "Improper Use of Validation Framework", }, discovery_date: "2022-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2062370", }, ], notes: [ { category: "description", text: "An improper input validation flaw was found in urijs where white space characters are not removed from the beginning of an URL. This issue allows bypassing the protocol validation.", title: "Vulnerability description", }, { category: "summary", text: "urijs: Leading white space bypasses protocol validation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24723", }, { category: "external", summary: "RHBZ#2062370", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2062370", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24723", url: "https://www.cve.org/CVERecord?id=CVE-2022-24723", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24723", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24723", }, ], release_date: "2022-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "urijs: Leading white space bypasses protocol validation", }, { cve: "CVE-2022-24785", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-04-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2072009", }, ], notes: [ { category: "description", text: "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.", title: "Vulnerability description", }, { category: "summary", text: "Moment.js: Path traversal in moment.locale", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24785", }, { category: "external", summary: "RHBZ#2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24785", url: "https://www.cve.org/CVERecord?id=CVE-2022-24785", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", }, { category: "external", summary: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", url: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", }, ], release_date: "2022-04-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "Sanitize the user-provided locale name before passing it to Moment.js.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Moment.js: Path traversal in moment.locale", }, { cve: "CVE-2022-24823", cwe: { id: "CWE-379", name: "Creation of Temporary File in Directory with Insecure Permissions", }, discovery_date: "2022-05-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2087186", }, ], notes: [ { category: "description", text: "CVE-2021-21290 contains an incomplete fix, and this addresses the issue found in netty. When using multipart decoders in netty, local information disclosure can occur via the local system temporary directory if temporary storing of uploads on the disk is enabled.", title: "Vulnerability description", }, { category: "summary", text: "netty: world readable temporary file containing sensitive data", title: "Vulnerability summary", }, { category: "other", text: "This issue only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\nRed Hat Satellite 6 is not affected as is using netty 3.6.7 version which is not impacted by this vulnerability.\n\nRed Hat Fuse 7 is now in Maintenance Support Phase and should be fixed soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24823", }, { category: "external", summary: "RHBZ#2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24823", url: "https://www.cve.org/CVERecord?id=CVE-2022-24823", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", }, ], release_date: "2022-05-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: world readable temporary file containing sensitive data", }, { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-31129", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-07-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2105075", }, ], notes: [ { category: "description", text: "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.", title: "Vulnerability description", }, { category: "summary", text: "moment: inefficient parsing algorithm resulting in DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31129", }, { category: "external", summary: "RHBZ#2105075", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105075", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31129", url: "https://www.cve.org/CVERecord?id=CVE-2022-31129", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", }, { category: "external", summary: "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", url: "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", }, ], release_date: "2022-07-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "moment: inefficient parsing algorithm resulting in DoS", }, { cve: "CVE-2022-31197", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2022-09-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129428", }, ], notes: [ { category: "description", text: "A flaw was found in PostgresQL. This flaw allows an attacker to benefit from a miss escaping character and leads to a SQL injection attack due to Java.sql.ResultRow.refreshRow() implementation from PGSQL.", title: "Vulnerability description", }, { category: "summary", text: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", title: "Vulnerability summary", }, { category: "other", text: "User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be presented soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31197", }, { category: "external", summary: "RHBZ#2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31197", url: "https://www.cve.org/CVERecord?id=CVE-2022-31197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", }, { category: "external", summary: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", url: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", }, ], release_date: "2022-08-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", }, { cve: "CVE-2022-33980", discovery_date: "2022-07-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2105067", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Configuration's variable interpolation, which by default included several lookup actions that could permit script invocation on remote servers. This issue could allow an attacker to use one of these actions to send a request to execute arbitrary code on the server.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite embeds affected commons-configuration2 with Candlepin, however, product is not affected since vulnerable org.apache.commons.configuration2.interpol.Lookup is not exposed in code. Product Security has rated this vulnerability Low for Satellite and there is no harm identified to confidentiality, integrity, and availability.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-33980", }, { category: "external", summary: "RHBZ#2105067", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105067", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-33980", url: "https://www.cve.org/CVERecord?id=CVE-2022-33980", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-33980", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-33980", }, ], release_date: "2022-07-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-41853", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136141", }, ], notes: [ { category: "description", text: "A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.", title: "Vulnerability description", }, { category: "summary", text: "hsqldb: Untrusted input may lead to RCE attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41853", }, { category: "external", summary: "RHBZ#2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41853", url: "https://www.cve.org/CVERecord?id=CVE-2022-41853", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", }, { category: "external", summary: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", url: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", }, { category: "external", summary: "https://github.com/advisories/GHSA-77xx-rxvh-q682", url: "https://github.com/advisories/GHSA-77xx-rxvh-q682", }, ], release_date: "2022-10-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk).\n\nIn the example below, the property has been included as an argument to the Java command.\n\n java -Dhsqldb.method_class_names=\"org.me.MyClass;org.you.YourClass;org.you.lib.*\" [the rest of the command line]\n\nThe above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level.\n\nThe user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method.\n\nOnce the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC.\n\nIn hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "hsqldb: Untrusted input may lead to RCE attack", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-text: variable interpolation RCE", }, ], }
RHSA-2022:8652
Vulnerability from csaf_redhat
Published
2022-11-28 14:39
Modified
2025-03-23 05:12
Summary
Red Hat Security Advisory: Red Hat Fuse 7.11.1 release and security update
Notes
Topic
A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* hsqldb: Untrusted input may lead to RCE attack [fuse-7] (CVE-2022-41853)
* io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)
* io.hawt-project: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)
* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users [fuse-7] (CVE-2021-3717)
* json-smart: Denial of Service in JSONParserByteArray function [fuse-7] (CVE-2021-31684)
* io.hawt-hawtio-integration: minimist: prototype pollution [fuse-7] (CVE-2021-44906)
* urijs: Authorization Bypass Through User-Controlled Key [fuse-7] (CVE-2022-0613)
* http2-server: Invalid HTTP/2 requests cause DoS [fuse-7] (CVE-2022-2048)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections [fuse-7] (CVE-2022-25857)
* urijs: Leading white space bypasses protocol validation [fuse-7] (CVE-2022-24723)
* Moment.js: Path traversal in moment.locale [fuse-7] (CVE-2022-24785)
* netty: world readable temporary file containing sensitive data [fuse-7] (CVE-2022-24823)
* jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [fuse-7] (CVE-2022-31197)
* commons-configuration2: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults [fuse-7] (CVE-2022-33980)
* commons-text: apache-commons-text: variable interpolation RCE [fuse-7] (CVE-2022-42889)
* undertow: Large AJP request may cause DoS [fuse-7] (CVE-2022-2053)
* moment: inefficient parsing algorithm resulting in DoS [fuse-7] (CVE-2022-31129)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode [fuse-7] (CVE-2022-38749)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nSecurity Fix(es):\n\n* hsqldb: Untrusted input may lead to RCE attack [fuse-7] (CVE-2022-41853)\n\n* io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)\n\n* io.hawt-project: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)\n\n* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users [fuse-7] (CVE-2021-3717)\n\n* json-smart: Denial of Service in JSONParserByteArray function [fuse-7] (CVE-2021-31684)\n\n* io.hawt-hawtio-integration: minimist: prototype pollution [fuse-7] (CVE-2021-44906)\n\n* urijs: Authorization Bypass Through User-Controlled Key [fuse-7] (CVE-2022-0613)\n\n* http2-server: Invalid HTTP/2 requests cause DoS [fuse-7] (CVE-2022-2048)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections [fuse-7] (CVE-2022-25857)\n\n* urijs: Leading white space bypasses protocol validation [fuse-7] (CVE-2022-24723)\n\n* Moment.js: Path traversal in moment.locale [fuse-7] (CVE-2022-24785)\n\n* netty: world readable temporary file containing sensitive data [fuse-7] (CVE-2022-24823)\n\n* jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [fuse-7] (CVE-2022-31197)\n\n* commons-configuration2: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults [fuse-7] (CVE-2022-33980)\n\n* commons-text: apache-commons-text: variable interpolation RCE [fuse-7] (CVE-2022-42889)\n\n* undertow: Large AJP request may cause DoS [fuse-7] (CVE-2022-2053)\n\n* moment: inefficient parsing algorithm resulting in DoS [fuse-7] (CVE-2022-31129)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode [fuse-7] (CVE-2022-38749)\n\nFor more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2022:8652", url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1686454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1686454", }, { category: "external", summary: "1991305", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991305", }, { category: "external", summary: "2055496", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2055496", }, { category: "external", summary: "2062370", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2062370", }, { category: "external", summary: "2066009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", }, { category: "external", summary: "2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "2095862", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2095862", }, { category: "external", summary: "2102695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2102695", }, { category: "external", summary: "2105067", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105067", }, { category: "external", summary: "2105075", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105075", }, { category: "external", summary: "2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8652.json", }, ], title: "Red Hat Security Advisory: Red Hat Fuse 7.11.1 release and security update", tracking: { current_release_date: "2025-03-23T05:12:40+00:00", generator: { date: "2025-03-23T05:12:40+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2022:8652", initial_release_date: "2022-11-28T14:39:27+00:00", revision_history: [ { date: "2022-11-28T14:39:27+00:00", number: "1", summary: "Initial version", }, { date: "2022-11-28T14:39:27+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-23T05:12:40+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Fuse 7.11.1", product: { name: "Red Hat Fuse 7.11.1", product_id: "Red Hat Fuse 7.11.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2019-8331", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2019-02-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1686454", }, ], notes: [ { category: "description", text: "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.", title: "Vulnerability description", }, { category: "summary", text: "bootstrap: XSS in the tooltip or popover data-template attribute", title: "Vulnerability summary", }, { category: "other", text: "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don't use the vulnerable component at all.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-8331", }, { category: "external", summary: "RHBZ#1686454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1686454", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-8331", url: "https://www.cve.org/CVERecord?id=CVE-2019-8331", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-8331", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-8331", }, ], release_date: "2019-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bootstrap: XSS in the tooltip or popover data-template attribute", }, { cve: "CVE-2021-3717", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2021-07-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1991305", }, ], notes: [ { category: "description", text: "A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability.", title: "Vulnerability description", }, { category: "summary", text: "wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-3717", }, { category: "external", summary: "RHBZ#1991305", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991305", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-3717", url: "https://www.cve.org/CVERecord?id=CVE-2021-3717", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3717", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3717", }, ], release_date: "2021-08-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users", }, { cve: "CVE-2021-31684", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-06-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2102695", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package in the JSONParserByteArray. This flaw allows an attacker to cause a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Denial of Service in JSONParserByteArray function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-31684", }, { category: "external", summary: "RHBZ#2102695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2102695", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-31684", url: "https://www.cve.org/CVERecord?id=CVE-2021-31684", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-31684", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31684", }, ], release_date: "2021-06-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-smart: Denial of Service in JSONParserByteArray function", }, { cve: "CVE-2021-44906", cwe: { id: "CWE-1321", name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", }, discovery_date: "2022-03-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2066009", }, ], notes: [ { category: "description", text: "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.", title: "Vulnerability description", }, { category: "summary", text: "minimist: prototype pollution", title: "Vulnerability summary", }, { category: "other", text: "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-44906", }, { category: "external", summary: "RHBZ#2066009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-44906", url: "https://www.cve.org/CVERecord?id=CVE-2021-44906", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", }, { category: "external", summary: "https://github.com/advisories/GHSA-xvch-5gv4-984h", url: "https://github.com/advisories/GHSA-xvch-5gv4-984h", }, ], release_date: "2022-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "minimist: prototype pollution", }, { cve: "CVE-2022-0613", cwe: { id: "CWE-639", name: "Authorization Bypass Through User-Controlled Key", }, discovery_date: "2022-02-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2055496", }, ], notes: [ { category: "description", text: "A flaw was found in urijs due to the fix of CVE-2021-3647 not considering case-sensitive protocol schemes in the URL. This issue allows attackers to bypass the patch.", title: "Vulnerability description", }, { category: "summary", text: "urijs: Authorization Bypass Through User-Controlled Key", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-0613", }, { category: "external", summary: "RHBZ#2055496", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2055496", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-0613", url: "https://www.cve.org/CVERecord?id=CVE-2022-0613", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-0613", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-0613", }, ], release_date: "2022-02-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "urijs: Authorization Bypass Through User-Controlled Key", }, { cve: "CVE-2022-2048", cwe: { id: "CWE-410", name: "Insufficient Resource Pool", }, discovery_date: "2022-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2116952", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.", title: "Vulnerability description", }, { category: "summary", text: "http2-server: Invalid HTTP/2 requests cause DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-2048", }, { category: "external", summary: "RHBZ#2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-2048", url: "https://www.cve.org/CVERecord?id=CVE-2022-2048", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", }, { category: "external", summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", }, ], release_date: "2022-07-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "http2-server: Invalid HTTP/2 requests cause DoS", }, { cve: "CVE-2022-2053", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2022-06-10T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2095862", }, ], notes: [ { category: "description", text: "A flaw was found in Undertow. AJP requests to the server may allow an attacker to send a malicious request and trigger server errors, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Large AJP request may cause DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 is now in Maintenance Support Phase and is marked Fixed. However, Red Hat Fuse Online does not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-2053", }, { category: "external", summary: "RHBZ#2095862", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2095862", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-2053", url: "https://www.cve.org/CVERecord?id=CVE-2022-2053", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-2053", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-2053", }, ], release_date: "2022-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "undertow: Large AJP request may cause DoS", }, { cve: "CVE-2022-24723", cwe: { id: "CWE-1173", name: "Improper Use of Validation Framework", }, discovery_date: "2022-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2062370", }, ], notes: [ { category: "description", text: "An improper input validation flaw was found in urijs where white space characters are not removed from the beginning of an URL. This issue allows bypassing the protocol validation.", title: "Vulnerability description", }, { category: "summary", text: "urijs: Leading white space bypasses protocol validation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24723", }, { category: "external", summary: "RHBZ#2062370", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2062370", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24723", url: "https://www.cve.org/CVERecord?id=CVE-2022-24723", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24723", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24723", }, ], release_date: "2022-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "urijs: Leading white space bypasses protocol validation", }, { cve: "CVE-2022-24785", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-04-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2072009", }, ], notes: [ { category: "description", text: "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.", title: "Vulnerability description", }, { category: "summary", text: "Moment.js: Path traversal in moment.locale", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24785", }, { category: "external", summary: "RHBZ#2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24785", url: "https://www.cve.org/CVERecord?id=CVE-2022-24785", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", }, { category: "external", summary: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", url: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", }, ], release_date: "2022-04-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "Sanitize the user-provided locale name before passing it to Moment.js.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Moment.js: Path traversal in moment.locale", }, { cve: "CVE-2022-24823", cwe: { id: "CWE-379", name: "Creation of Temporary File in Directory with Insecure Permissions", }, discovery_date: "2022-05-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2087186", }, ], notes: [ { category: "description", text: "CVE-2021-21290 contains an incomplete fix, and this addresses the issue found in netty. When using multipart decoders in netty, local information disclosure can occur via the local system temporary directory if temporary storing of uploads on the disk is enabled.", title: "Vulnerability description", }, { category: "summary", text: "netty: world readable temporary file containing sensitive data", title: "Vulnerability summary", }, { category: "other", text: "This issue only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\nRed Hat Satellite 6 is not affected as is using netty 3.6.7 version which is not impacted by this vulnerability.\n\nRed Hat Fuse 7 is now in Maintenance Support Phase and should be fixed soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24823", }, { category: "external", summary: "RHBZ#2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24823", url: "https://www.cve.org/CVERecord?id=CVE-2022-24823", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", }, ], release_date: "2022-05-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: world readable temporary file containing sensitive data", }, { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-31129", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-07-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2105075", }, ], notes: [ { category: "description", text: "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.", title: "Vulnerability description", }, { category: "summary", text: "moment: inefficient parsing algorithm resulting in DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31129", }, { category: "external", summary: "RHBZ#2105075", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105075", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31129", url: "https://www.cve.org/CVERecord?id=CVE-2022-31129", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", }, { category: "external", summary: "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", url: "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", }, ], release_date: "2022-07-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "moment: inefficient parsing algorithm resulting in DoS", }, { cve: "CVE-2022-31197", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2022-09-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129428", }, ], notes: [ { category: "description", text: "A flaw was found in PostgresQL. This flaw allows an attacker to benefit from a miss escaping character and leads to a SQL injection attack due to Java.sql.ResultRow.refreshRow() implementation from PGSQL.", title: "Vulnerability description", }, { category: "summary", text: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", title: "Vulnerability summary", }, { category: "other", text: "User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be presented soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31197", }, { category: "external", summary: "RHBZ#2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31197", url: "https://www.cve.org/CVERecord?id=CVE-2022-31197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", }, { category: "external", summary: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", url: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", }, ], release_date: "2022-08-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", }, { cve: "CVE-2022-33980", discovery_date: "2022-07-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2105067", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Configuration's variable interpolation, which by default included several lookup actions that could permit script invocation on remote servers. This issue could allow an attacker to use one of these actions to send a request to execute arbitrary code on the server.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite embeds affected commons-configuration2 with Candlepin, however, product is not affected since vulnerable org.apache.commons.configuration2.interpol.Lookup is not exposed in code. Product Security has rated this vulnerability Low for Satellite and there is no harm identified to confidentiality, integrity, and availability.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-33980", }, { category: "external", summary: "RHBZ#2105067", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105067", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-33980", url: "https://www.cve.org/CVERecord?id=CVE-2022-33980", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-33980", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-33980", }, ], release_date: "2022-07-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-41853", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136141", }, ], notes: [ { category: "description", text: "A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.", title: "Vulnerability description", }, { category: "summary", text: "hsqldb: Untrusted input may lead to RCE attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41853", }, { category: "external", summary: "RHBZ#2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41853", url: "https://www.cve.org/CVERecord?id=CVE-2022-41853", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", }, { category: "external", summary: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", url: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", }, { category: "external", summary: "https://github.com/advisories/GHSA-77xx-rxvh-q682", url: "https://github.com/advisories/GHSA-77xx-rxvh-q682", }, ], release_date: "2022-10-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk).\n\nIn the example below, the property has been included as an argument to the Java command.\n\n java -Dhsqldb.method_class_names=\"org.me.MyClass;org.you.YourClass;org.you.lib.*\" [the rest of the command line]\n\nThe above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level.\n\nThe user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method.\n\nOnce the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC.\n\nIn hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "hsqldb: Untrusted input may lead to RCE attack", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-text: variable interpolation RCE", }, ], }
rhsa-2022:8652
Vulnerability from csaf_redhat
Published
2022-11-28 14:39
Modified
2025-03-23 05:12
Summary
Red Hat Security Advisory: Red Hat Fuse 7.11.1 release and security update
Notes
Topic
A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* hsqldb: Untrusted input may lead to RCE attack [fuse-7] (CVE-2022-41853)
* io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)
* io.hawt-project: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)
* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users [fuse-7] (CVE-2021-3717)
* json-smart: Denial of Service in JSONParserByteArray function [fuse-7] (CVE-2021-31684)
* io.hawt-hawtio-integration: minimist: prototype pollution [fuse-7] (CVE-2021-44906)
* urijs: Authorization Bypass Through User-Controlled Key [fuse-7] (CVE-2022-0613)
* http2-server: Invalid HTTP/2 requests cause DoS [fuse-7] (CVE-2022-2048)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections [fuse-7] (CVE-2022-25857)
* urijs: Leading white space bypasses protocol validation [fuse-7] (CVE-2022-24723)
* Moment.js: Path traversal in moment.locale [fuse-7] (CVE-2022-24785)
* netty: world readable temporary file containing sensitive data [fuse-7] (CVE-2022-24823)
* jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [fuse-7] (CVE-2022-31197)
* commons-configuration2: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults [fuse-7] (CVE-2022-33980)
* commons-text: apache-commons-text: variable interpolation RCE [fuse-7] (CVE-2022-42889)
* undertow: Large AJP request may cause DoS [fuse-7] (CVE-2022-2053)
* moment: inefficient parsing algorithm resulting in DoS [fuse-7] (CVE-2022-31129)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode [fuse-7] (CVE-2022-38749)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nSecurity Fix(es):\n\n* hsqldb: Untrusted input may lead to RCE attack [fuse-7] (CVE-2022-41853)\n\n* io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)\n\n* io.hawt-project: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)\n\n* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users [fuse-7] (CVE-2021-3717)\n\n* json-smart: Denial of Service in JSONParserByteArray function [fuse-7] (CVE-2021-31684)\n\n* io.hawt-hawtio-integration: minimist: prototype pollution [fuse-7] (CVE-2021-44906)\n\n* urijs: Authorization Bypass Through User-Controlled Key [fuse-7] (CVE-2022-0613)\n\n* http2-server: Invalid HTTP/2 requests cause DoS [fuse-7] (CVE-2022-2048)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections [fuse-7] (CVE-2022-25857)\n\n* urijs: Leading white space bypasses protocol validation [fuse-7] (CVE-2022-24723)\n\n* Moment.js: Path traversal in moment.locale [fuse-7] (CVE-2022-24785)\n\n* netty: world readable temporary file containing sensitive data [fuse-7] (CVE-2022-24823)\n\n* jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [fuse-7] (CVE-2022-31197)\n\n* commons-configuration2: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults [fuse-7] (CVE-2022-33980)\n\n* commons-text: apache-commons-text: variable interpolation RCE [fuse-7] (CVE-2022-42889)\n\n* undertow: Large AJP request may cause DoS [fuse-7] (CVE-2022-2053)\n\n* moment: inefficient parsing algorithm resulting in DoS [fuse-7] (CVE-2022-31129)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode [fuse-7] (CVE-2022-38749)\n\nFor more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2022:8652", url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1686454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1686454", }, { category: "external", summary: "1991305", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991305", }, { category: "external", summary: "2055496", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2055496", }, { category: "external", summary: "2062370", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2062370", }, { category: "external", summary: "2066009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", }, { category: "external", summary: "2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "2095862", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2095862", }, { category: "external", summary: "2102695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2102695", }, { category: "external", summary: "2105067", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105067", }, { category: "external", summary: "2105075", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105075", }, { category: "external", summary: "2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8652.json", }, ], title: "Red Hat Security Advisory: Red Hat Fuse 7.11.1 release and security update", tracking: { current_release_date: "2025-03-23T05:12:40+00:00", generator: { date: "2025-03-23T05:12:40+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2022:8652", initial_release_date: "2022-11-28T14:39:27+00:00", revision_history: [ { date: "2022-11-28T14:39:27+00:00", number: "1", summary: "Initial version", }, { date: "2022-11-28T14:39:27+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-23T05:12:40+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Fuse 7.11.1", product: { name: "Red Hat Fuse 7.11.1", product_id: "Red Hat Fuse 7.11.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2019-8331", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2019-02-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1686454", }, ], notes: [ { category: "description", text: "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.", title: "Vulnerability description", }, { category: "summary", text: "bootstrap: XSS in the tooltip or popover data-template attribute", title: "Vulnerability summary", }, { category: "other", text: "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don't use the vulnerable component at all.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-8331", }, { category: "external", summary: "RHBZ#1686454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1686454", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-8331", url: "https://www.cve.org/CVERecord?id=CVE-2019-8331", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-8331", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-8331", }, ], release_date: "2019-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bootstrap: XSS in the tooltip or popover data-template attribute", }, { cve: "CVE-2021-3717", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2021-07-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1991305", }, ], notes: [ { category: "description", text: "A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability.", title: "Vulnerability description", }, { category: "summary", text: "wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-3717", }, { category: "external", summary: "RHBZ#1991305", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991305", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-3717", url: "https://www.cve.org/CVERecord?id=CVE-2021-3717", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3717", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3717", }, ], release_date: "2021-08-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users", }, { cve: "CVE-2021-31684", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-06-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2102695", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package in the JSONParserByteArray. This flaw allows an attacker to cause a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Denial of Service in JSONParserByteArray function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-31684", }, { category: "external", summary: "RHBZ#2102695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2102695", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-31684", url: "https://www.cve.org/CVERecord?id=CVE-2021-31684", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-31684", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31684", }, ], release_date: "2021-06-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-smart: Denial of Service in JSONParserByteArray function", }, { cve: "CVE-2021-44906", cwe: { id: "CWE-1321", name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", }, discovery_date: "2022-03-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2066009", }, ], notes: [ { category: "description", text: "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.", title: "Vulnerability description", }, { category: "summary", text: "minimist: prototype pollution", title: "Vulnerability summary", }, { category: "other", text: "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-44906", }, { category: "external", summary: "RHBZ#2066009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-44906", url: "https://www.cve.org/CVERecord?id=CVE-2021-44906", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", }, { category: "external", summary: "https://github.com/advisories/GHSA-xvch-5gv4-984h", url: "https://github.com/advisories/GHSA-xvch-5gv4-984h", }, ], release_date: "2022-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "minimist: prototype pollution", }, { cve: "CVE-2022-0613", cwe: { id: "CWE-639", name: "Authorization Bypass Through User-Controlled Key", }, discovery_date: "2022-02-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2055496", }, ], notes: [ { category: "description", text: "A flaw was found in urijs due to the fix of CVE-2021-3647 not considering case-sensitive protocol schemes in the URL. This issue allows attackers to bypass the patch.", title: "Vulnerability description", }, { category: "summary", text: "urijs: Authorization Bypass Through User-Controlled Key", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-0613", }, { category: "external", summary: "RHBZ#2055496", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2055496", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-0613", url: "https://www.cve.org/CVERecord?id=CVE-2022-0613", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-0613", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-0613", }, ], release_date: "2022-02-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "urijs: Authorization Bypass Through User-Controlled Key", }, { cve: "CVE-2022-2048", cwe: { id: "CWE-410", name: "Insufficient Resource Pool", }, discovery_date: "2022-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2116952", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.", title: "Vulnerability description", }, { category: "summary", text: "http2-server: Invalid HTTP/2 requests cause DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-2048", }, { category: "external", summary: "RHBZ#2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-2048", url: "https://www.cve.org/CVERecord?id=CVE-2022-2048", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", }, { category: "external", summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", }, ], release_date: "2022-07-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "http2-server: Invalid HTTP/2 requests cause DoS", }, { cve: "CVE-2022-2053", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2022-06-10T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2095862", }, ], notes: [ { category: "description", text: "A flaw was found in Undertow. AJP requests to the server may allow an attacker to send a malicious request and trigger server errors, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Large AJP request may cause DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 is now in Maintenance Support Phase and is marked Fixed. However, Red Hat Fuse Online does not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-2053", }, { category: "external", summary: "RHBZ#2095862", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2095862", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-2053", url: "https://www.cve.org/CVERecord?id=CVE-2022-2053", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-2053", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-2053", }, ], release_date: "2022-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "undertow: Large AJP request may cause DoS", }, { cve: "CVE-2022-24723", cwe: { id: "CWE-1173", name: "Improper Use of Validation Framework", }, discovery_date: "2022-03-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2062370", }, ], notes: [ { category: "description", text: "An improper input validation flaw was found in urijs where white space characters are not removed from the beginning of an URL. This issue allows bypassing the protocol validation.", title: "Vulnerability description", }, { category: "summary", text: "urijs: Leading white space bypasses protocol validation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24723", }, { category: "external", summary: "RHBZ#2062370", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2062370", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24723", url: "https://www.cve.org/CVERecord?id=CVE-2022-24723", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24723", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24723", }, ], release_date: "2022-03-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "urijs: Leading white space bypasses protocol validation", }, { cve: "CVE-2022-24785", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-04-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2072009", }, ], notes: [ { category: "description", text: "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.", title: "Vulnerability description", }, { category: "summary", text: "Moment.js: Path traversal in moment.locale", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24785", }, { category: "external", summary: "RHBZ#2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24785", url: "https://www.cve.org/CVERecord?id=CVE-2022-24785", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", }, { category: "external", summary: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", url: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", }, ], release_date: "2022-04-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "Sanitize the user-provided locale name before passing it to Moment.js.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Moment.js: Path traversal in moment.locale", }, { cve: "CVE-2022-24823", cwe: { id: "CWE-379", name: "Creation of Temporary File in Directory with Insecure Permissions", }, discovery_date: "2022-05-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2087186", }, ], notes: [ { category: "description", text: "CVE-2021-21290 contains an incomplete fix, and this addresses the issue found in netty. When using multipart decoders in netty, local information disclosure can occur via the local system temporary directory if temporary storing of uploads on the disk is enabled.", title: "Vulnerability description", }, { category: "summary", text: "netty: world readable temporary file containing sensitive data", title: "Vulnerability summary", }, { category: "other", text: "This issue only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\nRed Hat Satellite 6 is not affected as is using netty 3.6.7 version which is not impacted by this vulnerability.\n\nRed Hat Fuse 7 is now in Maintenance Support Phase and should be fixed soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24823", }, { category: "external", summary: "RHBZ#2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24823", url: "https://www.cve.org/CVERecord?id=CVE-2022-24823", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", }, ], release_date: "2022-05-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: world readable temporary file containing sensitive data", }, { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-31129", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-07-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2105075", }, ], notes: [ { category: "description", text: "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.", title: "Vulnerability description", }, { category: "summary", text: "moment: inefficient parsing algorithm resulting in DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31129", }, { category: "external", summary: "RHBZ#2105075", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105075", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31129", url: "https://www.cve.org/CVERecord?id=CVE-2022-31129", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", }, { category: "external", summary: "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", url: "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", }, ], release_date: "2022-07-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "moment: inefficient parsing algorithm resulting in DoS", }, { cve: "CVE-2022-31197", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2022-09-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129428", }, ], notes: [ { category: "description", text: "A flaw was found in PostgresQL. This flaw allows an attacker to benefit from a miss escaping character and leads to a SQL injection attack due to Java.sql.ResultRow.refreshRow() implementation from PGSQL.", title: "Vulnerability description", }, { category: "summary", text: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", title: "Vulnerability summary", }, { category: "other", text: "User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be presented soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31197", }, { category: "external", summary: "RHBZ#2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31197", url: "https://www.cve.org/CVERecord?id=CVE-2022-31197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", }, { category: "external", summary: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", url: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", }, ], release_date: "2022-08-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", }, { cve: "CVE-2022-33980", discovery_date: "2022-07-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2105067", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Configuration's variable interpolation, which by default included several lookup actions that could permit script invocation on remote servers. This issue could allow an attacker to use one of these actions to send a request to execute arbitrary code on the server.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite embeds affected commons-configuration2 with Candlepin, however, product is not affected since vulnerable org.apache.commons.configuration2.interpol.Lookup is not exposed in code. Product Security has rated this vulnerability Low for Satellite and there is no harm identified to confidentiality, integrity, and availability.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-33980", }, { category: "external", summary: "RHBZ#2105067", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2105067", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-33980", url: "https://www.cve.org/CVERecord?id=CVE-2022-33980", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-33980", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-33980", }, ], release_date: "2022-07-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-41853", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136141", }, ], notes: [ { category: "description", text: "A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.", title: "Vulnerability description", }, { category: "summary", text: "hsqldb: Untrusted input may lead to RCE attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41853", }, { category: "external", summary: "RHBZ#2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41853", url: "https://www.cve.org/CVERecord?id=CVE-2022-41853", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", }, { category: "external", summary: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", url: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", }, { category: "external", summary: "https://github.com/advisories/GHSA-77xx-rxvh-q682", url: "https://github.com/advisories/GHSA-77xx-rxvh-q682", }, ], release_date: "2022-10-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk).\n\nIn the example below, the property has been included as an argument to the Java command.\n\n java -Dhsqldb.method_class_names=\"org.me.MyClass;org.you.YourClass;org.you.lib.*\" [the rest of the command line]\n\nThe above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level.\n\nThe user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method.\n\nOnce the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC.\n\nIn hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "hsqldb: Untrusted input may lead to RCE attack", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.11.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2022-11-28T14:39:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.11.1 product documentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/", product_ids: [ "Red Hat Fuse 7.11.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2022:8652", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat Fuse 7.11.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.11.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-text: variable interpolation RCE", }, ], }
ghsa-fg2v-w576-w4v3
Vulnerability from github
Published
2022-02-10 22:46
Modified
2024-06-21 21:33
Severity ?
Summary
Out of bounds read in json-smart
Details
A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions prior to 1.3.3 and 2.4.5 which causes a denial of service (DOS) via a crafted web request.
{ affected: [ { package: { ecosystem: "Maven", name: "net.minidev:json-smart", }, ranges: [ { events: [ { introduced: "1.3.0", }, { fixed: "1.3.3", }, ], type: "ECOSYSTEM", }, ], }, { package: { ecosystem: "Maven", name: "net.minidev:json-smart", }, ranges: [ { events: [ { introduced: "2.4.0", }, { fixed: "2.4.4", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2021-31684", ], database_specific: { cwe_ids: [ "CWE-125", "CWE-787", ], github_reviewed: true, github_reviewed_at: "2021-06-02T20:27:42Z", nvd_published_at: "2021-06-01T20:15:00Z", severity: "HIGH", }, details: "A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions prior to 1.3.3 and 2.4.5 which causes a denial of service (DOS) via a crafted web request.", id: "GHSA-fg2v-w576-w4v3", modified: "2024-06-21T21:33:50Z", published: "2022-02-10T22:46:22Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31684", }, { type: "WEB", url: "https://github.com/netplex/json-smart-v1/issues/10", }, { type: "WEB", url: "https://github.com/netplex/json-smart-v2/issues/67", }, { type: "WEB", url: "https://github.com/netplex/json-smart-v1/pull/11", }, { type: "WEB", url: "https://github.com/netplex/json-smart-v2/pull/68", }, { type: "PACKAGE", url: "https://github.com/netplex/json-smart-v1", }, { type: "WEB", url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html", }, { type: "WEB", url: "https://security.netapp.com/advisory/ntap-20240621-0006", }, { type: "WEB", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { type: "WEB", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", type: "CVSS_V3", }, ], summary: "Out of bounds read in json-smart", }
fkie_cve-2021-31684
Vulnerability from fkie_nvd
Published
2021-06-01 20:15
Modified
2024-11-21 06:06
Severity ?
Summary
A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| json-smart_project | json-smart-v1 | * | |
| json-smart_project | json-smart-v2 | * | |
| oracle | utilities_framework | 4.4.0.0.0 | |
| oracle | utilities_framework | 4.4.0.2.0 | |
| oracle | utilities_framework | 4.4.0.3.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:json-smart_project:json-smart-v1:*:*:*:*:*:*:*:*", matchCriteriaId: "A087629A-9D66-4991-8FC4-DD6B28F8A046", versionEndExcluding: "1.3.3", versionStartIncluding: "1.3", vulnerable: true, }, { criteria: "cpe:2.3:a:json-smart_project:json-smart-v2:*:*:*:*:*:*:*:*", matchCriteriaId: "4F757C16-6C4E-412F-8E75-95A83F1B68CC", versionEndExcluding: "2.4.4", versionStartIncluding: "2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*", matchCriteriaId: "3F906F04-39E4-4BE4-8A73-9D058AAADB43", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*", matchCriteriaId: "7B393A82-476A-4270-A903-38ED4169E431", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*", matchCriteriaId: "85CAE52B-C2CA-4C6B-A0B7-2B9D6F0499E2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.", }, { lang: "es", value: "Se ha detectado una vulnerabilidad en la función indexOf de JSONParserByteArray en versiones 1.3 y 2.4 de JSON Smart que causa una Denegación de Servicio (DOS) por medio de una petición web diseñada", }, ], id: "CVE-2021-31684", lastModified: "2024-11-21T06:06:07.743", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-06-01T20:15:08.480", references: [ { source: "cve@mitre.org", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v1/issues/10", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v1/pull/11", }, { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v2/issues/67", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v2/pull/68", }, { source: "cve@mitre.org", url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html", }, { source: "cve@mitre.org", url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "cve@mitre.org", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v1/issues/10", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v1/pull/11", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v2/issues/67", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v2/pull/68", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-787", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
gsd-2021-31684
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.
Aliases
Aliases
{ GSD: { alias: "CVE-2021-31684", description: "A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.", id: "GSD-2021-31684", references: [ "https://access.redhat.com/errata/RHSA-2022:8652", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2021-31684", ], details: "A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.", id: "GSD-2021-31684", modified: "2023-12-13T01:23:13.430190Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-31684", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/netplex/json-smart-v1/issues/10", refsource: "MISC", url: "https://github.com/netplex/json-smart-v1/issues/10", }, { name: "https://github.com/netplex/json-smart-v1/pull/11", refsource: "MISC", url: "https://github.com/netplex/json-smart-v1/pull/11", }, { name: "https://github.com/netplex/json-smart-v2/issues/67", refsource: "MISC", url: "https://github.com/netplex/json-smart-v2/issues/67", }, { name: "https://github.com/netplex/json-smart-v2/pull/68", refsource: "MISC", url: "https://github.com/netplex/json-smart-v2/pull/68", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "[debian-lts-announce] 20230331 [SECURITY] [DLA 3373-1] json-smart security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "[,1.3],[2.0,2.4]", affected_versions: "All versions up to 1.3, all versions starting from 2.0 up to 2.4", cvss_v2: "AV:N/AC:L/Au:N/C:N/I:N/A:P", cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", cwe_ids: [ "CWE-1035", "CWE-787", "CWE-937", ], date: "2021-06-10", description: "A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart which causes a denial of service (DOS) via a crafted web request.", fixed_versions: [ "1.3.1", "2.4.1", ], identifier: "CVE-2021-31684", identifiers: [ "CVE-2021-31684", ], not_impacted: "All versions after 1.3 before 2.0, all versions after 2.4", package_slug: "maven/net.minidev/json-smart", pubdate: "2021-06-01", solution: "Upgrade to versions 1.3.1, 2.4.1 or above.", title: "Out-of-bounds Write", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2021-31684", ], uuid: "0ef516fe-e582-491a-ae51-a0b1cca01ad3", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:json-smart_project:json-smart-v1:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "1.3.3", versionStartIncluding: "1.3", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:json-smart_project:json-smart-v2:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "2.4.4", versionStartIncluding: "2.4", vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-31684", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-787", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/netplex/json-smart-v1/issues/10", refsource: "MISC", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v1/issues/10", }, { name: "https://github.com/netplex/json-smart-v1/pull/11", refsource: "MISC", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v1/pull/11", }, { name: "https://github.com/netplex/json-smart-v2/issues/67", refsource: "MISC", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v2/issues/67", }, { name: "https://github.com/netplex/json-smart-v2/pull/68", refsource: "MISC", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netplex/json-smart-v2/pull/68", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { name: "N/A", refsource: "N/A", tags: [], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "[debian-lts-announce] 20230331 [SECURITY] [DLA 3373-1] json-smart security update", refsource: "MLIST", tags: [], url: "https://lists.debian.org/debian-lts-announce/2023/03/msg00030.html", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: false, cvssV2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, }, }, lastModifiedDate: "2023-03-31T11:15Z", publishedDate: "2021-06-01T20:15Z", }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.