Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2022-1278
Vulnerability from cvelistv5
Published
2022-09-13 13:38
Modified
2024-08-02 23:55
Severity ?
EPSS score ?
Summary
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
References
▼ | URL | Tags | |
---|---|---|---|
secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2073401 | Issue Tracking, Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2073401 | Issue Tracking, Vendor Advisory |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T23:55:24.610Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "WildFly", "vendor": "n/a", "versions": [ { "status": "affected", "version": "no fixed versions known" } ] } ], "descriptions": [ { "lang": "en", "value": "A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1188", "description": "CWE-1188", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-09-13T13:38:02", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-1278", "datePublished": "2022-09-13T13:38:02", "dateReserved": "2022-04-08T00:00:00", "dateUpdated": "2024-08-02T23:55:24.610Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-1278\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2022-09-13T14:15:08.620\",\"lastModified\":\"2024-11-21T06:40:23.890\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado un fallo en WildFly, en el que un atacante puede visualizar los nombres de los despliegues, los endpoints y cualquier otro dato que pueda contener la carga \u00fatil de rastreo\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1188\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1188\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"27.0.0\",\"matchCriteriaId\":\"426B1BCF-20D8-4793-AC27-D8547F86DB3B\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:amq:2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B6D3AF88-5812-4BB6-871F-C0EA39AD66AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:amq_online:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"153BBB97-7890-4C7A-9EDD-92A426B06DEF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B87C8AD3-8878-4546-86C2-BF411876648C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF03BDE8-602D-4DEE-BA5B-5B20FDF47741\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A58966CB-36AF-4E64-AB39-BE3A0753E155\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0A24CBFB-4900-47A5-88D2-A44C929603DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2073401\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2073401\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}" } }
rhsa-2023_1661
Vulnerability from csaf_redhat
Published
2023-04-05 13:34
Modified
2024-11-22 21:10
Summary
Red Hat Security Advisory: Red Hat AMQ Broker 7.11.0 release and security update
Notes
Topic
Red Hat AMQ Broker 7.11.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.
This release of Red Hat AMQ Broker 7.11.0 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* springframework: DoS via data binding to multipartFile or servlet part (CVE-2022-22970)
* springframework: DoS with STOMP over WebSocket (CVE-2022-22971)
* WildFly: possible information disclosure (CVE-2022-1278)
* jetty-http: improver hostname input handling (CVE-2022-2047)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat AMQ Broker 7.11.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.\n\nThis release of Red Hat AMQ Broker 7.11.0 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n\n* springframework: DoS via data binding to multipartFile or servlet part (CVE-2022-22970)\n\n* springframework: DoS with STOMP over WebSocket (CVE-2022-22971)\n\n* WildFly: possible information disclosure (CVE-2022-1278)\n\n* jetty-http: improver hostname input handling (CVE-2022-2047)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:1661", "url": "https://access.redhat.com/errata/RHSA-2023:1661" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.11.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.11.0" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_amq_broker/7.11", "url": "https://access.redhat.com/documentation/en-us/red_hat_amq_broker/7.11" }, { "category": "external", "summary": "2073401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401" }, { "category": "external", "summary": "2087272", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087272" }, { "category": "external", "summary": "2087274", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087274" }, { "category": "external", "summary": "2116949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116949" }, { "category": "external", "summary": "2138971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1661.json" } ], "title": "Red Hat Security Advisory: Red Hat AMQ Broker 7.11.0 release and security update", "tracking": { "current_release_date": "2024-11-22T21:10:48+00:00", "generator": { "date": "2024-11-22T21:10:48+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:1661", "initial_release_date": "2023-04-05T13:34:59+00:00", "revision_history": [ { "date": "2023-04-05T13:34:59+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-04-05T13:34:59+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-22T21:10:48+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AMQ Broker 7.11.0", "product": { "name": "AMQ Broker 7.11.0", "product_id": "AMQ Broker 7.11.0", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_broker:7" } } } ], "category": "product_family", "name": "Red Hat JBoss AMQ" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-1278", "cwe": { "id": "CWE-1188", "name": "Initialization of a Resource with an Insecure Default" }, "discovery_date": "2022-04-08T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2073401" } ], "notes": [ { "category": "description", "text": "A flaw was found in WildFly. This flaw allows an attacker to see deployment names, endpoints, and any other data the trace payload may contain.", "title": "Vulnerability description" }, { "category": "summary", "text": "WildFly: possible information disclosure", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AMQ Broker 7.11.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1278" }, { "category": "external", "summary": "RHBZ#2073401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1278", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1278" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1278", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1278" } ], "release_date": "2022-04-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-04-05T13:34:59+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "AMQ Broker 7.11.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1661" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "AMQ Broker 7.11.0" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "WildFly: possible information disclosure" }, { "cve": "CVE-2022-2047", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-08-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2116949" } ], "notes": [ { "category": "description", "text": "A flaw was found in Eclipse Jetty. When parsing the authority segment of an HTTP scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This issue can lead to failures in a Proxy scenario.", "title": "Vulnerability description" }, { "category": "summary", "text": "jetty-http: improver hostname input handling", "title": "Vulnerability summary" }, { "category": "other", "text": "In Red Hat Satellite jetty was used to build index files to search documentation. Nowadays in Satellite 6.9 and 6.10 jetty dependency is not in use and there is no access to it, so there is no way this vulnerability can be exploitable. Therefore Satellite supported versions are not affected.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AMQ Broker 7.11.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-2047" }, { "category": "external", "summary": "RHBZ#2116949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-2047", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2047" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2047", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2047" }, { "category": "external", "summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q" } ], "release_date": "2022-07-07T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-04-05T13:34:59+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "AMQ Broker 7.11.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1661" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "AMQ Broker 7.11.0" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jetty-http: improver hostname input handling" }, { "cve": "CVE-2022-3782", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-10-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2138971" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: path traversal via double URL encoding", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AMQ Broker 7.11.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3782" }, { "category": "external", "summary": "RHBZ#2138971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3782", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3782" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782" } ], "release_date": "2022-12-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-04-05T13:34:59+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "AMQ Broker 7.11.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1661" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AMQ Broker 7.11.0" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "keycloak: path traversal via double URL encoding" }, { "cve": "CVE-2022-22970", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2022-05-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2087272" } ], "notes": [ { "category": "description", "text": "A flaw was found in Spring Framework. Applications that handle file uploads are vulnerable to a denial of service (DoS) attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.", "title": "Vulnerability description" }, { "category": "summary", "text": "springframework: DoS via data binding to multipartFile or servlet part", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AMQ Broker 7.11.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-22970" }, { "category": "external", "summary": "RHBZ#2087272", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087272" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-22970", "url": "https://www.cve.org/CVERecord?id=CVE-2022-22970" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-22970", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22970" }, { "category": "external", "summary": "https://tanzu.vmware.com/security/cve-2022-22970", "url": "https://tanzu.vmware.com/security/cve-2022-22970" } ], "release_date": "2022-05-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-04-05T13:34:59+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "AMQ Broker 7.11.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1661" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AMQ Broker 7.11.0" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "springframework: DoS via data binding to multipartFile or servlet part" }, { "cve": "CVE-2022-22971", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2022-05-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2087274" } ], "notes": [ { "category": "description", "text": "A flaw was found in Spring Framework Applications. Applications that use STOMP over the WebSocket endpoint are vulnerable to a denial of service attack caused by an authenticated user.", "title": "Vulnerability description" }, { "category": "summary", "text": "springframework: DoS with STOMP over WebSocket", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AMQ Broker 7.11.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-22971" }, { "category": "external", "summary": "RHBZ#2087274", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087274" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-22971", "url": "https://www.cve.org/CVERecord?id=CVE-2022-22971" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-22971", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22971" }, { "category": "external", "summary": "https://tanzu.vmware.com/security/cve-2022-22971", "url": "https://tanzu.vmware.com/security/cve-2022-22971" } ], "release_date": "2022-05-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-04-05T13:34:59+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "AMQ Broker 7.11.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1661" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AMQ Broker 7.11.0" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "springframework: DoS with STOMP over WebSocket" } ] }
rhsa-2023_1855
Vulnerability from csaf_redhat
Published
2023-04-18 19:01
Modified
2024-11-22 22:13
Summary
Red Hat Security Advisory: Red Hat JBoss EAP 7.4.10 XP 4.0.0.GA security release
Notes
Topic
JBoss EAP XP 4.0.0.GA security release on the EAP 7.4.10 base is now available. See references for release notes.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This is a cumulative patch release zip for the JBoss EAP XP 4.0.0 runtime distribution for use with EAP 7.4.10.
Security Fix(es):
* protobuf-java: Textformat parsing issue leads to DoS (CVE-2022-3509)
* protobuf-java: Message-Type Extensions parsing issue leads to DoS (CVE-2022-3510)
* WildFly: possible information disclosure (CVE-2022-1278)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "JBoss EAP XP 4.0.0.GA security release on the EAP 7.4.10 base is now available. See references for release notes.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "This is a cumulative patch release zip for the JBoss EAP XP 4.0.0 runtime distribution for use with EAP 7.4.10.\n\nSecurity Fix(es):\n\n* protobuf-java: Textformat parsing issue leads to DoS (CVE-2022-3509)\n\n* protobuf-java: Message-Type Extensions parsing issue leads to DoS (CVE-2022-3510)\n\n* WildFly: possible information disclosure (CVE-2022-1278)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:1855", "url": "https://access.redhat.com/errata/RHSA-2023:1855" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/red_hat_jboss_eap_xp_4.0.0_release_notes/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/red_hat_jboss_eap_xp_4.0.0_release_notes/index" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/jboss_eap_xp_4.0_upgrade_and_migration_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/jboss_eap_xp_4.0_upgrade_and_migration_guide/index" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/using_jboss_eap_xp_4.0.0/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/using_jboss_eap_xp_4.0.0/index" }, { "category": "external", "summary": "2073401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401" }, { "category": "external", "summary": "2184161", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184161" }, { "category": "external", "summary": "2184176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184176" }, { "category": "external", "summary": "JBEAP-24683", "url": "https://issues.redhat.com/browse/JBEAP-24683" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1855.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss EAP 7.4.10 XP 4.0.0.GA security release", "tracking": { "current_release_date": "2024-11-22T22:13:23+00:00", "generator": { "date": "2024-11-22T22:13:23+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:1855", "initial_release_date": "2023-04-18T19:01:20+00:00", "revision_history": [ { "date": "2023-04-18T19:01:20+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-06-05T10:53:43+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-22T22:13:23+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "product": { "name": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "product_id": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "product_identification_helper": { "cpe": "cpe:/a:redhat:jbosseapxp" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-1278", "cwe": { "id": "CWE-1188", "name": "Initialization of a Resource with an Insecure Default" }, "discovery_date": "2022-04-08T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2073401" } ], "notes": [ { "category": "description", "text": "A flaw was found in WildFly. This flaw allows an attacker to see deployment names, endpoints, and any other data the trace payload may contain.", "title": "Vulnerability description" }, { "category": "summary", "text": "WildFly: possible information disclosure", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform Expansion Pack" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1278" }, { "category": "external", "summary": "RHBZ#2073401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1278", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1278" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1278", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1278" } ], "release_date": "2022-04-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-04-18T19:01:20+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform Expansion Pack" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1855" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform Expansion Pack" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "WildFly: possible information disclosure" }, { "cve": "CVE-2022-3509", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2022-12-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2184161" } ], "notes": [ { "category": "description", "text": "A flaw was found in Textformat in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbage collection pauses.", "title": "Vulnerability description" }, { "category": "summary", "text": "protobuf-java: Textformat parsing issue leads to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform Expansion Pack" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3509" }, { "category": "external", "summary": "RHBZ#2184161", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184161" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3509", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3509" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509" } ], "release_date": "2022-12-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-04-18T19:01:20+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform Expansion Pack" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1855" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform Expansion Pack" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "protobuf-java: Textformat parsing issue leads to DoS" }, { "cve": "CVE-2022-3510", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2022-12-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2184176" } ], "notes": [ { "category": "description", "text": "A flaw was found in Message-Type Extensions in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbage collection pauses.", "title": "Vulnerability description" }, { "category": "summary", "text": "protobuf-java: Message-Type Extensions parsing issue leads to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform Expansion Pack" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3510" }, { "category": "external", "summary": "RHBZ#2184176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3510", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3510" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510" } ], "release_date": "2022-12-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-04-18T19:01:20+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform Expansion Pack" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1855" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform Expansion Pack" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "protobuf-java: Message-Type Extensions parsing issue leads to DoS" } ] }
WID-SEC-W-2023-0864
Vulnerability from csaf_certbund
Published
2023-04-05 22:00
Modified
2023-05-18 22:00
Summary
Red Hat JBoss A-MQ: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JBoss A-MQ ist eine Messaging-Plattform.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Red Hat JBoss A-MQ ausnutzen, um Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen und einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme
- UNIX
- Linux
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "JBoss A-MQ ist eine Messaging-Plattform.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Red Hat JBoss A-MQ ausnutzen, um Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen und einen Denial-of-Service-Zustand zu verursachen.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0864 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0864.json" }, { "category": "self", "summary": "WID-SEC-2023-0864 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0864" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:3185 vom 2023-05-17", "url": "https://access.redhat.com/errata/RHSA-2023:3185" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:1855 vom 2023-04-19", "url": "https://access.redhat.com/errata/RHSA-2023:1855" }, { "category": "external", "summary": "Red Hat Security Advisory vom 2023-04-05", "url": "https://access.redhat.com/errata/RHSA-2023:1661" } ], "source_lang": "en-US", "title": "Red Hat JBoss A-MQ: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-05-18T22:00:00.000+00:00", "generator": { "date": "2024-02-15T17:22:23.002+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0864", "initial_release_date": "2023-04-05T22:00:00.000+00:00", "revision_history": [ { "date": "2023-04-05T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-04-18T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-05-18T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } }, { "branches": [ { "category": "product_name", "name": "Red Hat JBoss A-MQ Broker \u003c 7.11.0", "product": { "name": "Red Hat JBoss A-MQ Broker \u003c 7.11.0", "product_id": "T027097", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_amq:broker__7.11.0" } } }, { "category": "product_name", "name": "Red Hat JBoss A-MQ \u003c 7.10.3", "product": { "name": "Red Hat JBoss A-MQ \u003c 7.10.3", "product_id": "T027762", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_amq:7.10.3" } } } ], "category": "product_name", "name": "JBoss A-MQ" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-3782", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Red Hat JBoss A-MQ. Der Fehler besteht in Keycloak aufgrund einer unsachgem\u00e4\u00dfen Validierung von URLs, die in einer Weiterleitung enthalten sind. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, indem er eine b\u00f6sartige Anfrage konstruiert, um die Validierung zu umgehen und auf andere URLs und potenziell vertrauliche Informationen innerhalb der Domain zuzugreifen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion." } ], "product_status": { "known_affected": [ "67646", "T027762" ] }, "release_date": "2023-04-05T22:00:00Z", "title": "CVE-2022-3782" }, { "cve": "CVE-2022-22971", "notes": [ { "category": "description", "text": "In Red Hat JBoss A-MQ existieren mehrere Schwachstellen. Die Fehler bestehen im Spring Framework und treten auf, wenn Anwendungen STOMP \u00fcber den WebSocket-Endpunkt verwenden oder wenn Anwendungen Datei-Uploads verarbeiten und sich auf Datenbindungen verlassen, um ein MultipartFile oder javax.servlet.Part auf ein Feld in einem Modellobjekt zu setzen. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen." } ], "product_status": { "known_affected": [ "67646", "T027762" ] }, "release_date": "2023-04-05T22:00:00Z", "title": "CVE-2022-22971" }, { "cve": "CVE-2022-22970", "notes": [ { "category": "description", "text": "In Red Hat JBoss A-MQ existieren mehrere Schwachstellen. Die Fehler bestehen im Spring Framework und treten auf, wenn Anwendungen STOMP \u00fcber den WebSocket-Endpunkt verwenden oder wenn Anwendungen Datei-Uploads verarbeiten und sich auf Datenbindungen verlassen, um ein MultipartFile oder javax.servlet.Part auf ein Feld in einem Modellobjekt zu setzen. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen." } ], "product_status": { "known_affected": [ "67646", "T027762" ] }, "release_date": "2023-04-05T22:00:00Z", "title": "CVE-2022-22970" }, { "cve": "CVE-2022-2047", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Red Hat JBoss A-MQ. Der Fehler besteht in Eclipse Jetty beim Parsen des Autorit\u00e4tssegments einer HTTP-Schema-URI. Unter diesen Umst\u00e4nden erkennt die Jetty HttpURI-Klasse f\u00e4lschlicherweise eine ung\u00fcltige Eingabe als Hostname, was zu Fehlern in einem Proxy-Szenario f\u00fchrt. Ein entfernter, authentisierter Angreifer mit bestimmten Rechten kann diese Schwachstelle zur Umgehung von Sicherheitsma\u00dfnahmen ausnutzen." } ], "product_status": { "known_affected": [ "67646", "T027762" ] }, "release_date": "2023-04-05T22:00:00Z", "title": "CVE-2022-2047" }, { "cve": "CVE-2022-1278", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Red Hat JBoss A-MQ. Der Fehler besteht in Wildfly. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Einsatznamen, Endpunkte und alle anderen Daten, die die Trace-Nutzlast enthalten kann, zu sehen." } ], "product_status": { "known_affected": [ "67646", "T027762" ] }, "release_date": "2023-04-05T22:00:00Z", "title": "CVE-2022-1278" } ] }
wid-sec-w-2023-0864
Vulnerability from csaf_certbund
Published
2023-04-05 22:00
Modified
2023-05-18 22:00
Summary
Red Hat JBoss A-MQ: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JBoss A-MQ ist eine Messaging-Plattform.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Red Hat JBoss A-MQ ausnutzen, um Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen und einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme
- UNIX
- Linux
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "JBoss A-MQ ist eine Messaging-Plattform.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Red Hat JBoss A-MQ ausnutzen, um Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen und einen Denial-of-Service-Zustand zu verursachen.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0864 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0864.json" }, { "category": "self", "summary": "WID-SEC-2023-0864 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0864" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:3185 vom 2023-05-17", "url": "https://access.redhat.com/errata/RHSA-2023:3185" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:1855 vom 2023-04-19", "url": "https://access.redhat.com/errata/RHSA-2023:1855" }, { "category": "external", "summary": "Red Hat Security Advisory vom 2023-04-05", "url": "https://access.redhat.com/errata/RHSA-2023:1661" } ], "source_lang": "en-US", "title": "Red Hat JBoss A-MQ: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-05-18T22:00:00.000+00:00", "generator": { "date": "2024-02-15T17:22:23.002+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0864", "initial_release_date": "2023-04-05T22:00:00.000+00:00", "revision_history": [ { "date": "2023-04-05T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-04-18T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-05-18T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } }, { "branches": [ { "category": "product_name", "name": "Red Hat JBoss A-MQ Broker \u003c 7.11.0", "product": { "name": "Red Hat JBoss A-MQ Broker \u003c 7.11.0", "product_id": "T027097", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_amq:broker__7.11.0" } } }, { "category": "product_name", "name": "Red Hat JBoss A-MQ \u003c 7.10.3", "product": { "name": "Red Hat JBoss A-MQ \u003c 7.10.3", "product_id": "T027762", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_amq:7.10.3" } } } ], "category": "product_name", "name": "JBoss A-MQ" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-3782", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Red Hat JBoss A-MQ. Der Fehler besteht in Keycloak aufgrund einer unsachgem\u00e4\u00dfen Validierung von URLs, die in einer Weiterleitung enthalten sind. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, indem er eine b\u00f6sartige Anfrage konstruiert, um die Validierung zu umgehen und auf andere URLs und potenziell vertrauliche Informationen innerhalb der Domain zuzugreifen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion." } ], "product_status": { "known_affected": [ "67646", "T027762" ] }, "release_date": "2023-04-05T22:00:00Z", "title": "CVE-2022-3782" }, { "cve": "CVE-2022-22971", "notes": [ { "category": "description", "text": "In Red Hat JBoss A-MQ existieren mehrere Schwachstellen. Die Fehler bestehen im Spring Framework und treten auf, wenn Anwendungen STOMP \u00fcber den WebSocket-Endpunkt verwenden oder wenn Anwendungen Datei-Uploads verarbeiten und sich auf Datenbindungen verlassen, um ein MultipartFile oder javax.servlet.Part auf ein Feld in einem Modellobjekt zu setzen. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen." } ], "product_status": { "known_affected": [ "67646", "T027762" ] }, "release_date": "2023-04-05T22:00:00Z", "title": "CVE-2022-22971" }, { "cve": "CVE-2022-22970", "notes": [ { "category": "description", "text": "In Red Hat JBoss A-MQ existieren mehrere Schwachstellen. Die Fehler bestehen im Spring Framework und treten auf, wenn Anwendungen STOMP \u00fcber den WebSocket-Endpunkt verwenden oder wenn Anwendungen Datei-Uploads verarbeiten und sich auf Datenbindungen verlassen, um ein MultipartFile oder javax.servlet.Part auf ein Feld in einem Modellobjekt zu setzen. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen." } ], "product_status": { "known_affected": [ "67646", "T027762" ] }, "release_date": "2023-04-05T22:00:00Z", "title": "CVE-2022-22970" }, { "cve": "CVE-2022-2047", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Red Hat JBoss A-MQ. Der Fehler besteht in Eclipse Jetty beim Parsen des Autorit\u00e4tssegments einer HTTP-Schema-URI. Unter diesen Umst\u00e4nden erkennt die Jetty HttpURI-Klasse f\u00e4lschlicherweise eine ung\u00fcltige Eingabe als Hostname, was zu Fehlern in einem Proxy-Szenario f\u00fchrt. Ein entfernter, authentisierter Angreifer mit bestimmten Rechten kann diese Schwachstelle zur Umgehung von Sicherheitsma\u00dfnahmen ausnutzen." } ], "product_status": { "known_affected": [ "67646", "T027762" ] }, "release_date": "2023-04-05T22:00:00Z", "title": "CVE-2022-2047" }, { "cve": "CVE-2022-1278", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Red Hat JBoss A-MQ. Der Fehler besteht in Wildfly. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Einsatznamen, Endpunkte und alle anderen Daten, die die Trace-Nutzlast enthalten kann, zu sehen." } ], "product_status": { "known_affected": [ "67646", "T027762" ] }, "release_date": "2023-04-05T22:00:00Z", "title": "CVE-2022-1278" } ] }
ghsa-fmq7-gh8v-mjvc
Vulnerability from github
Published
2022-09-14 00:00
Modified
2022-09-16 21:59
Severity ?
Summary
WildFly vulnerable to Insecure Default Initialization of Resource
Details
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.wildfly.bom:wildfly" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "27.0.0.Beta1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-1278" ], "database_specific": { "cwe_ids": [ "CWE-1188" ], "github_reviewed": true, "github_reviewed_at": "2022-09-15T03:23:37Z", "nvd_published_at": "2022-09-13T14:15:00Z", "severity": "HIGH" }, "details": "A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.", "id": "GHSA-fmq7-gh8v-mjvc", "modified": "2022-09-16T21:59:13Z", "published": "2022-09-14T00:00:48Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1278" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401" }, { "type": "PACKAGE", "url": "https://github.com/wildfly/boms" }, { "type": "WEB", "url": "https://issues.redhat.com/browse/WFLY-16238" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "WildFly vulnerable to Insecure Default Initialization of Resource" }
gsd-2022-1278
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2022-1278", "description": "A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.", "id": "GSD-2022-1278" }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2022-1278" ], "details": "A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.", "id": "GSD-2022-1278", "modified": "2023-12-13T01:19:28.206011Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2022-1278", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "WildFly", "version": { "version_data": [ { "version_affected": "=", "version_value": "no fixed versions known" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "cweId": "CWE-1188", "lang": "eng", "value": "CWE-1188" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401" } ] } }, "gitlab.com": { "advisories": [ { "affected_range": "(,27.0.0.Beta1)", "affected_versions": "All versions before 27.0.0.beta1", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cwe_ids": [ "CWE-1035", "CWE-1188", "CWE-937" ], "date": "2022-09-15", "description": "A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.", "fixed_versions": [ "27.0.0.Beta1" ], "identifier": "CVE-2022-1278", "identifiers": [ "GHSA-fmq7-gh8v-mjvc", "CVE-2022-1278" ], "not_impacted": "All versions starting from 27.0.0.beta1", "package_slug": "maven/org.wildfly.bom/wildfly", "pubdate": "2022-09-14", "solution": "Upgrade to version 27.0.0.Beta1 or above.", "title": "Insecure Default Initialization of Resource", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2022-1278", "https://bugzilla.redhat.com/show_bug.cgi?id=2073401", "https://issues.redhat.com/browse/WFLY-16238", "https://github.com/advisories/GHSA-fmq7-gh8v-mjvc" ], "uuid": "afd7a643-0f97-4ff6-b0cb-a6bc7cd1fc73" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "27.0.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:amq:2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:amq_online:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2022-1278" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-1188" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401", "refsource": "MISC", "tags": [ "Issue Tracking", "Vendor Advisory" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401" } ] } }, "impact": { "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6 } }, "lastModifiedDate": "2023-03-22T18:04Z", "publishedDate": "2022-09-13T14:15Z" } } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.