cvelistv5 - cve-2022-4245

cve-2022-4245

Vulnerability from cvelistv5

Published

2023-09-25 19:20

Modified

2024-08-03 01:34

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.

References

URL	Tags
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2023:2135	Third Party Advisory
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2023:3906	Third Party Advisory
secalert@redhat.com	https://access.redhat.com/security/cve/CVE-2022-4245	Third Party Advisory
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=2149843	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2023:2135	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2023:3906	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/security/cve/CVE-2022-4245	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=2149843	Issue Tracking, Third Party Advisory

Impacted products

Vendor

Product

Version

▼

Red Hat

RHINT Camel-K-1.10.1

cpe:/a:redhat:camel_k:1

Red Hat	RHPAM 7.13.1 async	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
Red Hat	A-MQ Clients 2	cpe:/a:redhat:a_mq_clients:2
Red Hat	Red Hat A-MQ Online	cpe:/a:redhat:amq_online:1
Red Hat	Red Hat build of Apache Camel for Spring Boot	cpe:/a:redhat:camel_spring_boot:3
Red Hat	Red Hat build of Quarkus	cpe:/a:redhat:quarkus:2
Red Hat	Red Hat Data Grid 8	cpe:/a:redhat:jboss_data_grid:8
Red Hat	Red Hat Decision Manager 7	cpe:/a:redhat:jboss_enterprise_brms_platform:7
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Integration Camel Quarkus	cpe:/a:redhat:camel_quarkus:2
Red Hat	Red Hat Integration Change Data Capture	cpe:/a:redhat:integration:1
Red Hat	Red Hat Integration Service Registry	cpe:/a:redhat:service_registry:2
Red Hat	Red Hat JBoss A-MQ 7	cpe:/a:redhat:amq_broker:7
Red Hat	Red Hat JBoss Data Grid 7	cpe:/a:redhat:jboss_data_grid:7
Red Hat	Red Hat JBoss Enterprise Application Platform 6	cpe:/a:redhat:jboss_enterprise_application_platform:6
Red Hat	Red Hat JBoss Enterprise Application Platform 7	cpe:/a:redhat:jboss_enterprise_application_platform:7
Red Hat	Red Hat JBoss Enterprise Application Platform Expansion Pack	cpe:/a:redhat:jbosseapxp
Red Hat	Red Hat JBoss Fuse 6	cpe:/a:redhat:jboss_fuse:6
Red Hat	Red Hat JBoss Fuse 7	cpe:/a:redhat:jboss_fuse:7
Red Hat	Red Hat JBoss Fuse Service Works 6	cpe:/a:redhat:jboss_fuse_service_works:6
Red Hat	Red Hat JBoss Web Server 3	cpe:/a:redhat:jboss_enterprise_web_server:3
Red Hat	Red Hat JBoss Web Server 5	cpe:/a:redhat:jboss_enterprise_web_server:5
Red Hat	Red Hat OpenShift Application Runtimes	cpe:/a:redhat:openshift_application_runtimes:1.0
Red Hat	Red Hat Process Automation 7	cpe:/a:redhat:jboss_enterprise_bpms_platform:7
Red Hat	Red Hat Single Sign-On 7	cpe:/a:redhat:red_hat_single_sign_on:7
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat Software Collections	cpe:/a:redhat:rhel_software_collections:3
Red Hat	Red Hat support for Spring Boot	cpe:/a:redhat:openshift_application_runtimes:1.0

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-4245",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-05-07T17:32:13.401725Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-06-04T17:16:32.674Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T01:34:49.896Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "RHSA-2023:2135",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2023:2135",
               },
               {
                  name: "RHSA-2023:3906",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2023:3906",
               },
               {
                  tags: [
                     "vdb-entry",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/security/cve/CVE-2022-4245",
               },
               {
                  name: "RHBZ#2149843",
                  tags: [
                     "issue-tracking",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
               cpes: [
                  "cpe:/a:redhat:camel_k:1",
               ],
               defaultStatus: "unaffected",
               packageName: "codehaus-plexus",
               product: "RHINT Camel-K-1.10.1",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13",
               ],
               defaultStatus: "unaffected",
               product: "RHPAM 7.13.1 async",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:a_mq_clients:2",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "A-MQ Clients 2",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:amq_online:1",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "Red Hat A-MQ Online",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:camel_spring_boot:3",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "Red Hat build of Apache Camel for Spring Boot",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:quarkus:2",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "Red Hat build of Quarkus",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:jboss_data_grid:8",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "Red Hat Data Grid 8",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:jboss_enterprise_brms_platform:7",
               ],
               defaultStatus: "unknown",
               packageName: "codehaus-plexus",
               product: "Red Hat Decision Manager 7",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/o:redhat:enterprise_linux:7",
               ],
               defaultStatus: "unknown",
               packageName: "plexus-utils",
               product: "Red Hat Enterprise Linux 7",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/o:redhat:enterprise_linux:8",
               ],
               defaultStatus: "unaffected",
               packageName: "maven:3.6/plexus-utils",
               product: "Red Hat Enterprise Linux 8",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/o:redhat:enterprise_linux:8",
               ],
               defaultStatus: "unaffected",
               packageName: "maven:3.8/plexus-utils",
               product: "Red Hat Enterprise Linux 8",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/o:redhat:enterprise_linux:9",
               ],
               defaultStatus: "unaffected",
               packageName: "maven:3.8/plexus-utils",
               product: "Red Hat Enterprise Linux 9",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/o:redhat:enterprise_linux:9",
               ],
               defaultStatus: "unaffected",
               packageName: "plexus-utils",
               product: "Red Hat Enterprise Linux 9",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:camel_quarkus:2",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "Red Hat Integration Camel Quarkus",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:integration:1",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "Red Hat Integration Change Data Capture",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:service_registry:2",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "Red Hat Integration Service Registry",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
               cpes: [
                  "cpe:/a:redhat:amq_broker:7",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "Red Hat JBoss A-MQ 7",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
               cpes: [
                  "cpe:/a:redhat:jboss_data_grid:7",
               ],
               defaultStatus: "unknown",
               packageName: "codehaus-plexus",
               product: "Red Hat JBoss Data Grid 7",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
               cpes: [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:6",
               ],
               defaultStatus: "unknown",
               packageName: "codehaus-plexus",
               product: "Red Hat JBoss Enterprise Application Platform 6",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
               cpes: [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:7",
               ],
               defaultStatus: "unaffected",
               packageName: "codehaus-plexus",
               product: "Red Hat JBoss Enterprise Application Platform 7",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
               cpes: [
                  "cpe:/a:redhat:jbosseapxp",
               ],
               defaultStatus: "unaffected",
               packageName: "codehaus-plexus",
               product: "Red Hat JBoss Enterprise Application Platform Expansion Pack",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
               cpes: [
                  "cpe:/a:redhat:jboss_fuse:6",
               ],
               defaultStatus: "unknown",
               packageName: "codehaus-plexus",
               product: "Red Hat JBoss Fuse 6",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
               cpes: [
                  "cpe:/a:redhat:jboss_fuse:7",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "Red Hat JBoss Fuse 7",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
               cpes: [
                  "cpe:/a:redhat:jboss_fuse_service_works:6",
               ],
               defaultStatus: "unknown",
               packageName: "codehaus-plexus",
               product: "Red Hat JBoss Fuse Service Works 6",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
               cpes: [
                  "cpe:/a:redhat:jboss_enterprise_web_server:3",
               ],
               defaultStatus: "unknown",
               packageName: "codehaus-plexus",
               product: "Red Hat JBoss Web Server 3",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
               cpes: [
                  "cpe:/a:redhat:jboss_enterprise_web_server:5",
               ],
               defaultStatus: "unaffected",
               packageName: "codehaus-plexus",
               product: "Red Hat JBoss Web Server 5",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:openshift_application_runtimes:1.0",
               ],
               defaultStatus: "unaffected",
               packageName: "codehaus-plexus",
               product: "Red Hat OpenShift Application Runtimes",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:jboss_enterprise_bpms_platform:7",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "Red Hat Process Automation 7",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:red_hat_single_sign_on:7",
               ],
               defaultStatus: "affected",
               packageName: "org.codehaus.plexus-plexus-utils",
               product: "Red Hat Single Sign-On 7",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "affected",
               packageName: "rh-maven36-byte-buddy",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "unaffected",
               packageName: "rh-maven36-maven",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "unaffected",
               packageName: "rh-maven36-maven-archiver",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "affected",
               packageName: "rh-maven36-maven-assembly-plugin",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "affected",
               packageName: "rh-maven36-maven-compiler-plugin",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "unaffected",
               packageName: "rh-maven36-maven-jar-plugin",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "affected",
               packageName: "rh-maven36-maven-plugin-bundle",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "unaffected",
               packageName: "rh-maven36-maven-remote-resources-plugin",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "affected",
               packageName: "rh-maven36-maven-shade-plugin",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "affected",
               packageName: "rh-maven36-maven-source-plugin",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "affected",
               packageName: "rh-maven36-maven-surefire",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:rhel_software_collections:3",
               ],
               defaultStatus: "unaffected",
               packageName: "rh-maven36-plexus-utils",
               product: "Red Hat Software Collections",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:openshift_application_runtimes:1.0",
               ],
               defaultStatus: "affected",
               packageName: "codehaus-plexus",
               product: "Red Hat support for Spring Boot",
               vendor: "Red Hat",
            },
         ],
         datePublic: "2022-12-01T00:00:00+00:00",
         descriptions: [
            {
               lang: "en",
               value: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     namespace: "https://access.redhat.com/security/updates/classification/",
                     value: "Moderate",
                  },
                  type: "Red Hat severity rating",
               },
            },
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               format: "CVSS",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-91",
                     description: "XML Injection (aka Blind XPath Injection)",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-05-03T15:32:28.238Z",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "RHSA-2023:2135",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
            {
               name: "RHSA-2023:3906",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
            {
               tags: [
                  "vdb-entry",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/security/cve/CVE-2022-4245",
            },
            {
               name: "RHBZ#2149843",
               tags: [
                  "issue-tracking",
                  "x_refsource_REDHAT",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
            },
         ],
         timeline: [
            {
               lang: "en",
               time: "2022-12-01T00:00:00+00:00",
               value: "Reported to Red Hat.",
            },
            {
               lang: "en",
               time: "2022-12-01T00:00:00+00:00",
               value: "Made public.",
            },
         ],
         title: "Codehaus-plexus: xml external entity (xxe) injection",
         x_redhatCweChain: "CWE-91: XML Injection (aka Blind XPath Injection)",
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2022-4245",
      datePublished: "2023-09-25T19:20:57.329Z",
      dateReserved: "2022-12-01T06:39:39.475Z",
      dateUpdated: "2024-08-03T01:34:49.896Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:codehaus-plexus:plexus-utils:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"3.0.24\", \"matchCriteriaId\": \"EA55EA05-9741-46F1-95D7-6F4E2ACAEE8A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:integration_camel_k:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.10.1\", \"matchCriteriaId\": \"0E66C6CC-DA05-4BF4-84B5-D537606B0467\"}]}]}]",
         descriptions: "[{\"lang\": \"en\", \"value\": \"A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.\"}, {\"lang\": \"es\", \"value\": \"Se encontr\\u00f3 una falla en codehaus-plexus. El org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment no puede sanitizar los comentarios para una secuencia --&gt;. Este problema significa que el texto contenido en la cadena de comando podr\\u00eda interpretarse como XML y permitir la inyecci\\u00f3n de XML.\"}]",
         id: "CVE-2022-4245",
         lastModified: "2024-11-21T07:34:51.700",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
         published: "2023-09-25T20:15:10.400",
         references: "[{\"url\": \"https://access.redhat.com/errata/RHSA-2023:2135\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2023:3906\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2022-4245\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2149843\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2023:2135\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2023:3906\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2022-4245\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2149843\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}]",
         sourceIdentifier: "secalert@redhat.com",
         vulnStatus: "Modified",
         weaknesses: "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-91\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2022-4245\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2023-09-25T20:15:10.400\",\"lastModified\":\"2024-11-21T07:34:51.700\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.\"},{\"lang\":\"es\",\"value\":\"Se encontró una falla en codehaus-plexus. El org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment no puede sanitizar los comentarios para una secuencia --&gt;. Este problema significa que el texto contenido en la cadena de comando podría interpretarse como XML y permitir la inyección de XML.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-91\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:codehaus-plexus:plexus-utils:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.0.24\",\"matchCriteriaId\":\"EA55EA05-9741-46F1-95D7-6F4E2ACAEE8A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:integration_camel_k:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.10.1\",\"matchCriteriaId\":\"0E66C6CC-DA05-4BF4-84B5-D537606B0467\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2023:2135\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2023:3906\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2022-4245\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2149843\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2023:2135\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2023:3906\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2022-4245\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2149843\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2023:2135\", \"name\": \"RHSA-2023:2135\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2023:3906\", \"name\": \"RHSA-2023:3906\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2022-4245\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2149843\", \"name\": \"RHBZ#2149843\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T01:34:49.896Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-4245\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-07T17:32:13.401725Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-07T17:34:21.206Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Codehaus-plexus: xml external entity (xxe) injection\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:camel_k:1\"], \"vendor\": \"Red Hat\", \"product\": \"RHINT Camel-K-1.10.1\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13\"], \"vendor\": \"Red Hat\", \"product\": \"RHPAM 7.13.1 async\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:a_mq_clients:2\"], \"vendor\": \"Red Hat\", \"product\": \"A-MQ Clients 2\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:amq_online:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat A-MQ Online\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:camel_spring_boot:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Apache Camel for Spring Boot\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:quarkus:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Quarkus\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_data_grid:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Data Grid 8\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_brms_platform:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Decision Manager 7\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 7\", \"packageName\": \"plexus-utils\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"maven:3.6/plexus-utils\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"maven:3.8/plexus-utils\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"maven:3.8/plexus-utils\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"plexus-utils\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:camel_quarkus:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Integration Camel Quarkus\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:integration:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Integration Change Data Capture\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_registry:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Integration Service Registry\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:amq_broker:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss A-MQ 7\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_data_grid:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Data Grid 7\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_application_platform:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform 6\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_application_platform:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform 7\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:jbosseapxp\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform Expansion Pack\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_fuse:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Fuse 6\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_fuse:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Fuse 7\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_fuse_service_works:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Fuse Service Works 6\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_web_server:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Web Server 3\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_web_server:5\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Web Server 5\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_application_runtimes:1.0\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Application Runtimes\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_bpms_platform:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Process Automation 7\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:red_hat_single_sign_on:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Single Sign-On 7\", \"packageName\": \"org.codehaus.plexus-plexus-utils\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-byte-buddy\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-maven\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-maven-archiver\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-maven-assembly-plugin\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-maven-compiler-plugin\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-maven-jar-plugin\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-maven-plugin-bundle\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-maven-remote-resources-plugin\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-maven-shade-plugin\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-maven-source-plugin\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-maven-surefire\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_software_collections:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Software Collections\", \"packageName\": \"rh-maven36-plexus-utils\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_application_runtimes:1.0\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat support for Spring Boot\", \"packageName\": \"codehaus-plexus\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-12-01T00:00:00+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2022-12-01T00:00:00+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2022-12-01T00:00:00+00:00\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2023:2135\", \"name\": \"RHSA-2023:2135\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2023:3906\", \"name\": \"RHSA-2023:3906\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2022-4245\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2149843\", \"name\": \"RHBZ#2149843\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-91\", \"description\": \"XML Injection (aka Blind XPath Injection)\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2024-05-03T15:32:28.238Z\"}, \"x_redhatCweChain\": \"CWE-91: XML Injection (aka Blind XPath Injection)\"}}",
         cveMetadata: "{\"cveId\": \"CVE-2022-4245\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-03T01:34:49.896Z\", \"dateReserved\": \"2022-12-01T06:39:39.475Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2023-09-25T19:20:57.329Z\", \"assignerShortName\": \"redhat\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}

rhsa-2023:2135

Vulnerability from csaf_redhat

Published

2023-05-04 15:59

Modified

2025-03-14 23:59

Summary

Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.3 security update

Notes

Topic

An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This asynchronous security patch is an update to Red Hat Process Automation Manager 7. Security Fixes: * CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364) * keycloak: path traversal via double URL encoding (CVE-2022-3782) * undertow: Infinite loop in SslConduit during close (CVE-2023-1108) * commons-text: apache-commons-text: variable interpolation RCE (CVE-2022-42889) * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * jackson-databind: use of deeply nested arrays (CVE-2022-42004) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n\n* undertow: Infinite loop in SslConduit during close (CVE-2023-1108)\n\n* commons-text: apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2023:2135",
            url: "https://access.redhat.com/errata/RHSA-2023:2135",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "2135244",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244",
         },
         {
            category: "external",
            summary: "2135247",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247",
         },
         {
            category: "external",
            summary: "2135435",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435",
         },
         {
            category: "external",
            summary: "2138971",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2138971",
         },
         {
            category: "external",
            summary: "2155682",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682",
         },
         {
            category: "external",
            summary: "2174246",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2135.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.3 security update",
      tracking: {
         current_release_date: "2025-03-14T23:59:20+00:00",
         generator: {
            date: "2025-03-14T23:59:20+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.4.1",
            },
         },
         id: "RHSA-2023:2135",
         initial_release_date: "2023-05-04T15:59:31+00:00",
         revision_history: [
            {
               date: "2023-05-04T15:59:31+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2023-05-04T15:59:31+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2025-03-14T23:59:20+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "RHPAM 7.13.1 async",
                        product: {
                           name: "RHPAM 7.13.1 async",
                           product_id: "RHPAM 7.13.1 async",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Process Automation Manager",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2022-3782",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2022-10-31T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2138971",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: path traversal via double URL encoding",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-3782",
            },
            {
               category: "external",
               summary: "RHBZ#2138971",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2138971",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-3782",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-3782",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
            },
         ],
         release_date: "2022-12-12T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 8.1,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "keycloak: path traversal via double URL encoding",
      },
      {
         cve: "CVE-2022-4244",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149841",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: Directory Traversal",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Single Sign-On uses this package for testing purposes and is not delivered with the distribution. Hence not affected status.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4244",
            },
            {
               category: "external",
               summary: "RHBZ#2149841",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: Directory Traversal",
      },
      {
         cve: "CVE-2022-4245",
         cwe: {
            id: "CWE-91",
            name: "XML Injection (aka Blind XPath Injection)",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149843",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: XML External Entity (XXE) Injection",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4245",
            },
            {
               category: "external",
               summary: "RHBZ#2149843",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: XML External Entity (XXE) Injection",
      },
      {
         cve: "CVE-2022-40149",
         cwe: {
            id: "CWE-787",
            name: "Out-of-bounds Write",
         },
         discovery_date: "2022-10-18T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135771",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jettison: parser crash by stackoverflow",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-40149",
            },
            {
               category: "external",
               summary: "RHBZ#2135771",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-40149",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
            },
            {
               category: "external",
               summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
               url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
            },
         ],
         release_date: "2022-09-20T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jettison: parser crash by stackoverflow",
      },
      {
         cve: "CVE-2022-40150",
         cwe: {
            id: "CWE-400",
            name: "Uncontrolled Resource Consumption",
         },
         discovery_date: "2022-10-18T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135770",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jettison: memory exhaustion via user-supplied XML or JSON data",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-40150",
            },
            {
               category: "external",
               summary: "RHBZ#2135770",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-40150",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
            },
            {
               category: "external",
               summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
               url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
            },
         ],
         release_date: "2022-09-20T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "jettison: memory exhaustion via user-supplied XML or JSON data",
      },
      {
         cve: "CVE-2022-42003",
         cwe: {
            id: "CWE-502",
            name: "Deserialization of Untrusted Data",
         },
         discovery_date: "2022-10-17T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135244",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-42003",
            },
            {
               category: "external",
               summary: "RHBZ#2135244",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-42003",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
            },
         ],
         release_date: "2022-10-02T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
      },
      {
         cve: "CVE-2022-42004",
         cwe: {
            id: "CWE-502",
            name: "Deserialization of Untrusted Data",
         },
         discovery_date: "2022-10-17T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135247",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jackson-databind: use of deeply nested arrays",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-42004",
            },
            {
               category: "external",
               summary: "RHBZ#2135247",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-42004",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
            },
         ],
         release_date: "2022-10-02T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jackson-databind: use of deeply nested arrays",
      },
      {
         cve: "CVE-2022-42889",
         cwe: {
            id: "CWE-1188",
            name: "Initialization of a Resource with an Insecure Default",
         },
         discovery_date: "2022-10-15T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135435",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9.  The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "apache-commons-text: variable interpolation RCE",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n  - Usage of specific methods that interpolate the variables as described in the flaw\n  - Usage of external input for those methods\n  - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-42889",
            },
            {
               category: "external",
               summary: "RHBZ#2135435",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-42889",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
            },
            {
               category: "external",
               summary: "https://blogs.apache.org/security/entry/cve-2022-42889",
               url: "https://blogs.apache.org/security/entry/cve-2022-42889",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
               url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
            },
            {
               category: "external",
               summary: "https://seclists.org/oss-sec/2022/q4/22",
               url: "https://seclists.org/oss-sec/2022/q4/22",
            },
         ],
         release_date: "2022-10-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
            {
               category: "workaround",
               details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "apache-commons-text: variable interpolation RCE",
      },
      {
         cve: "CVE-2022-45693",
         cwe: {
            id: "CWE-787",
            name: "Out-of-bounds Write",
         },
         discovery_date: "2022-12-23T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155970",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-45693",
            },
            {
               category: "external",
               summary: "RHBZ#2155970",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155970",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-45693",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-45693",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
      },
      {
         cve: "CVE-2022-46363",
         cwe: {
            id: "CWE-20",
            name: "Improper Input Validation",
         },
         discovery_date: "2022-12-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155681",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "CXF: directory listing / code exfiltration",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "RHBZ#2155681",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
               url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "CXF: directory listing / code exfiltration",
      },
      {
         cve: "CVE-2022-46364",
         cwe: {
            id: "CWE-918",
            name: "Server-Side Request Forgery (SSRF)",
         },
         discovery_date: "2022-12-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155682",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "CXF: SSRF Vulnerability",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-46364",
            },
            {
               category: "external",
               summary: "RHBZ#2155682",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-46364",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-46364",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
            },
            {
               category: "external",
               summary: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2",
               url: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "CXF: SSRF Vulnerability",
      },
      {
         cve: "CVE-2023-1108",
         cwe: {
            id: "CWE-835",
            name: "Loop with Unreachable Exit Condition ('Infinite Loop')",
         },
         discovery_date: "2023-02-07T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2174246",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Undertow: Infinite loop in SslConduit during close",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-1108",
            },
            {
               category: "external",
               summary: "RHBZ#2174246",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-1108",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-1108",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108",
            },
            {
               category: "external",
               summary: "https://github.com/advisories/GHSA-m4mm-pg93-fv78",
               url: "https://github.com/advisories/GHSA-m4mm-pg93-fv78",
            },
         ],
         release_date: "2023-03-07T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "Undertow: Infinite loop in SslConduit during close",
      },
   ],
}

rhsa-2023_2135

Vulnerability from csaf_redhat

Published

2023-05-04 15:59

Modified

2024-12-16 16:07

Summary

Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.3 security update

Notes

Topic

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n\n* undertow: Infinite loop in SslConduit during close (CVE-2023-1108)\n\n* commons-text: apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2023:2135",
            url: "https://access.redhat.com/errata/RHSA-2023:2135",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "2135244",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244",
         },
         {
            category: "external",
            summary: "2135247",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247",
         },
         {
            category: "external",
            summary: "2135435",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435",
         },
         {
            category: "external",
            summary: "2138971",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2138971",
         },
         {
            category: "external",
            summary: "2155682",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682",
         },
         {
            category: "external",
            summary: "2174246",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2135.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.3 security update",
      tracking: {
         current_release_date: "2024-12-16T16:07:46+00:00",
         generator: {
            date: "2024-12-16T16:07:46+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.3",
            },
         },
         id: "RHSA-2023:2135",
         initial_release_date: "2023-05-04T15:59:31+00:00",
         revision_history: [
            {
               date: "2023-05-04T15:59:31+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2023-05-04T15:59:31+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-12-16T16:07:46+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "RHPAM 7.13.1 async",
                        product: {
                           name: "RHPAM 7.13.1 async",
                           product_id: "RHPAM 7.13.1 async",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Process Automation Manager",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2022-3782",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2022-10-31T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2138971",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: path traversal via double URL encoding",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-3782",
            },
            {
               category: "external",
               summary: "RHBZ#2138971",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2138971",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-3782",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-3782",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
            },
         ],
         release_date: "2022-12-12T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 8.1,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "keycloak: path traversal via double URL encoding",
      },
      {
         cve: "CVE-2022-4244",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149841",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: Directory Traversal",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Single Sign-On uses this package for testing purposes and is not delivered with the distribution. Hence not affected status.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4244",
            },
            {
               category: "external",
               summary: "RHBZ#2149841",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: Directory Traversal",
      },
      {
         cve: "CVE-2022-4245",
         cwe: {
            id: "CWE-91",
            name: "XML Injection (aka Blind XPath Injection)",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149843",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: XML External Entity (XXE) Injection",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4245",
            },
            {
               category: "external",
               summary: "RHBZ#2149843",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: XML External Entity (XXE) Injection",
      },
      {
         cve: "CVE-2022-40149",
         cwe: {
            id: "CWE-787",
            name: "Out-of-bounds Write",
         },
         discovery_date: "2022-10-18T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135771",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jettison: parser crash by stackoverflow",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-40149",
            },
            {
               category: "external",
               summary: "RHBZ#2135771",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-40149",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
            },
            {
               category: "external",
               summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
               url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
            },
         ],
         release_date: "2022-09-20T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jettison: parser crash by stackoverflow",
      },
      {
         cve: "CVE-2022-40150",
         cwe: {
            id: "CWE-400",
            name: "Uncontrolled Resource Consumption",
         },
         discovery_date: "2022-10-18T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135770",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jettison: memory exhaustion via user-supplied XML or JSON data",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-40150",
            },
            {
               category: "external",
               summary: "RHBZ#2135770",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-40150",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
            },
            {
               category: "external",
               summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
               url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
            },
         ],
         release_date: "2022-09-20T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "jettison: memory exhaustion via user-supplied XML or JSON data",
      },
      {
         cve: "CVE-2022-42003",
         cwe: {
            id: "CWE-502",
            name: "Deserialization of Untrusted Data",
         },
         discovery_date: "2022-10-17T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135244",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-42003",
            },
            {
               category: "external",
               summary: "RHBZ#2135244",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-42003",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
            },
         ],
         release_date: "2022-10-02T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
      },
      {
         cve: "CVE-2022-42004",
         cwe: {
            id: "CWE-502",
            name: "Deserialization of Untrusted Data",
         },
         discovery_date: "2022-10-17T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135247",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jackson-databind: use of deeply nested arrays",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-42004",
            },
            {
               category: "external",
               summary: "RHBZ#2135247",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-42004",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
            },
         ],
         release_date: "2022-10-02T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jackson-databind: use of deeply nested arrays",
      },
      {
         cve: "CVE-2022-42889",
         cwe: {
            id: "CWE-1188",
            name: "Initialization of a Resource with an Insecure Default",
         },
         discovery_date: "2022-10-15T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135435",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9.  The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "apache-commons-text: variable interpolation RCE",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n  - Usage of specific methods that interpolate the variables as described in the flaw\n  - Usage of external input for those methods\n  - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-42889",
            },
            {
               category: "external",
               summary: "RHBZ#2135435",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-42889",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
            },
            {
               category: "external",
               summary: "https://blogs.apache.org/security/entry/cve-2022-42889",
               url: "https://blogs.apache.org/security/entry/cve-2022-42889",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
               url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
            },
            {
               category: "external",
               summary: "https://seclists.org/oss-sec/2022/q4/22",
               url: "https://seclists.org/oss-sec/2022/q4/22",
            },
         ],
         release_date: "2022-10-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
            {
               category: "workaround",
               details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "apache-commons-text: variable interpolation RCE",
      },
      {
         cve: "CVE-2022-45693",
         cwe: {
            id: "CWE-787",
            name: "Out-of-bounds Write",
         },
         discovery_date: "2022-12-23T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155970",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-45693",
            },
            {
               category: "external",
               summary: "RHBZ#2155970",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155970",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-45693",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-45693",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
      },
      {
         cve: "CVE-2022-46363",
         cwe: {
            id: "CWE-20",
            name: "Improper Input Validation",
         },
         discovery_date: "2022-12-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155681",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "CXF: directory listing / code exfiltration",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "RHBZ#2155681",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
               url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "CXF: directory listing / code exfiltration",
      },
      {
         cve: "CVE-2022-46364",
         cwe: {
            id: "CWE-918",
            name: "Server-Side Request Forgery (SSRF)",
         },
         discovery_date: "2022-12-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155682",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "CXF: SSRF Vulnerability",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-46364",
            },
            {
               category: "external",
               summary: "RHBZ#2155682",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-46364",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-46364",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
            },
            {
               category: "external",
               summary: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2",
               url: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "CXF: SSRF Vulnerability",
      },
      {
         cve: "CVE-2023-1108",
         cwe: {
            id: "CWE-835",
            name: "Loop with Unreachable Exit Condition ('Infinite Loop')",
         },
         discovery_date: "2023-02-07T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2174246",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Undertow: Infinite loop in SslConduit during close",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-1108",
            },
            {
               category: "external",
               summary: "RHBZ#2174246",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-1108",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-1108",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108",
            },
            {
               category: "external",
               summary: "https://github.com/advisories/GHSA-m4mm-pg93-fv78",
               url: "https://github.com/advisories/GHSA-m4mm-pg93-fv78",
            },
         ],
         release_date: "2023-03-07T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "Undertow: Infinite loop in SslConduit during close",
      },
   ],
}

rhsa-2023_3906

Vulnerability from csaf_redhat

Published

2023-06-28 15:59

Modified

2024-12-10 17:53

Summary

Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update

Notes

Topic

Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.

Details

A security update for Camel K 1.10.1 is now available. The purpose of this text-only errata is to inform you about the security issues fixed with this release. * json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370) * codehaus-plexus: Directory Traversal (CVE-2022-4244) * codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245) * scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368) * jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946) * Apache CXF: directory listing / code exfiltration (CVE-2022-46363) A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.",
            title: "Topic",
         },
         {
            category: "general",
            text: "A security update for Camel K 1.10.1 is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed with this release.\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370)\n\n* codehaus-plexus: Directory Traversal (CVE-2022-4244)\n\n* codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245)\n\n* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)\n\n* jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)\n\n* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2023:3906",
            url: "https://access.redhat.com/errata/RHSA-2023:3906",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2",
            url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2",
         },
         {
            category: "external",
            summary: "2145205",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205",
         },
         {
            category: "external",
            summary: "2149841",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841",
         },
         {
            category: "external",
            summary: "2149843",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
         },
         {
            category: "external",
            summary: "2153399",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399",
         },
         {
            category: "external",
            summary: "2155681",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681",
         },
         {
            category: "external",
            summary: "2188542",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3906.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update",
      tracking: {
         current_release_date: "2024-12-10T17:53:41+00:00",
         generator: {
            date: "2024-12-10T17:53:41+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.3",
            },
         },
         id: "RHSA-2023:3906",
         initial_release_date: "2023-06-28T15:59:12+00:00",
         revision_history: [
            {
               date: "2023-06-28T15:59:12+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2023-06-28T15:59:12+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-12-10T17:53:41+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "RHINT Camel-K-1.10.1",
                        product: {
                           name: "RHINT Camel-K-1.10.1",
                           product_id: "RHINT Camel-K-1.10.1",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:camel_k:1",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Integration",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2022-4244",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149841",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: Directory Traversal",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Single Sign-On uses this package for testing purposes and is not delivered with the distribution. Hence not affected status.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4244",
            },
            {
               category: "external",
               summary: "RHBZ#2149841",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: Directory Traversal",
      },
      {
         cve: "CVE-2022-4245",
         cwe: {
            id: "CWE-91",
            name: "XML Injection (aka Blind XPath Injection)",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149843",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: XML External Entity (XXE) Injection",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4245",
            },
            {
               category: "external",
               summary: "RHBZ#2149843",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: XML External Entity (XXE) Injection",
      },
      {
         cve: "CVE-2022-39368",
         cwe: {
            id: "CWE-459",
            name: "Incomplete Cleanup",
         },
         discovery_date: "2022-11-23T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2145205",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the Eclipse Californium Scandium package. This issue occurs when failing handshakes don't clean up counters for throttling, causing the threshold to be reached without being released again, resulting in a denial of service. An attacker could submit a high quantity of server requests, leaving the server unable to respond.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "scandium: Failing DTLS handshakes may cause throttling to block processing of records",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-39368",
            },
            {
               category: "external",
               summary: "RHBZ#2145205",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-39368",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-39368",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368",
            },
            {
               category: "external",
               summary: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc",
               url: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc",
            },
         ],
         release_date: "2022-11-10T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "scandium: Failing DTLS handshakes may cause throttling to block processing of records",
      },
      {
         cve: "CVE-2022-41946",
         cwe: {
            id: "CWE-377",
            name: "Insecure Temporary File",
         },
         discovery_date: "2022-12-14T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2153399",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-41946",
            },
            {
               category: "external",
               summary: "RHBZ#2153399",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-41946",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
            },
         ],
         release_date: "2022-11-23T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 5.5,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions",
      },
      {
         cve: "CVE-2022-46363",
         cwe: {
            id: "CWE-20",
            name: "Improper Input Validation",
         },
         discovery_date: "2022-12-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155681",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "CXF: directory listing / code exfiltration",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "RHBZ#2155681",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
               url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "CXF: directory listing / code exfiltration",
      },
      {
         cve: "CVE-2023-1370",
         cwe: {
            id: "CWE-674",
            name: "Uncontrolled Recursion",
         },
         discovery_date: "2023-04-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2188542",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-1370",
            },
            {
               category: "external",
               summary: "RHBZ#2188542",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-1370",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
            },
            {
               category: "external",
               summary: "https://github.com/advisories/GHSA-493p-pfq6-5258",
               url: "https://github.com/advisories/GHSA-493p-pfq6-5258",
            },
            {
               category: "external",
               summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
               url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
            },
         ],
         release_date: "2023-03-22T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
      },
   ],
}

RHSA-2023:2135

Vulnerability from csaf_redhat

Published

2023-05-04 15:59

Modified

2025-03-14 23:59

Summary

Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.3 security update

Notes

Topic

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n\n* undertow: Infinite loop in SslConduit during close (CVE-2023-1108)\n\n* commons-text: apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2023:2135",
            url: "https://access.redhat.com/errata/RHSA-2023:2135",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "2135244",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244",
         },
         {
            category: "external",
            summary: "2135247",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247",
         },
         {
            category: "external",
            summary: "2135435",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435",
         },
         {
            category: "external",
            summary: "2138971",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2138971",
         },
         {
            category: "external",
            summary: "2155682",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682",
         },
         {
            category: "external",
            summary: "2174246",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2135.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.3 security update",
      tracking: {
         current_release_date: "2025-03-14T23:59:20+00:00",
         generator: {
            date: "2025-03-14T23:59:20+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.4.1",
            },
         },
         id: "RHSA-2023:2135",
         initial_release_date: "2023-05-04T15:59:31+00:00",
         revision_history: [
            {
               date: "2023-05-04T15:59:31+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2023-05-04T15:59:31+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2025-03-14T23:59:20+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "RHPAM 7.13.1 async",
                        product: {
                           name: "RHPAM 7.13.1 async",
                           product_id: "RHPAM 7.13.1 async",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Process Automation Manager",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2022-3782",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2022-10-31T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2138971",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: path traversal via double URL encoding",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-3782",
            },
            {
               category: "external",
               summary: "RHBZ#2138971",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2138971",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-3782",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-3782",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
            },
         ],
         release_date: "2022-12-12T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 8.1,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "keycloak: path traversal via double URL encoding",
      },
      {
         cve: "CVE-2022-4244",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149841",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: Directory Traversal",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Single Sign-On uses this package for testing purposes and is not delivered with the distribution. Hence not affected status.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4244",
            },
            {
               category: "external",
               summary: "RHBZ#2149841",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: Directory Traversal",
      },
      {
         cve: "CVE-2022-4245",
         cwe: {
            id: "CWE-91",
            name: "XML Injection (aka Blind XPath Injection)",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149843",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: XML External Entity (XXE) Injection",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4245",
            },
            {
               category: "external",
               summary: "RHBZ#2149843",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: XML External Entity (XXE) Injection",
      },
      {
         cve: "CVE-2022-40149",
         cwe: {
            id: "CWE-787",
            name: "Out-of-bounds Write",
         },
         discovery_date: "2022-10-18T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135771",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jettison: parser crash by stackoverflow",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-40149",
            },
            {
               category: "external",
               summary: "RHBZ#2135771",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-40149",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
            },
            {
               category: "external",
               summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
               url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
            },
         ],
         release_date: "2022-09-20T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jettison: parser crash by stackoverflow",
      },
      {
         cve: "CVE-2022-40150",
         cwe: {
            id: "CWE-400",
            name: "Uncontrolled Resource Consumption",
         },
         discovery_date: "2022-10-18T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135770",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jettison: memory exhaustion via user-supplied XML or JSON data",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-40150",
            },
            {
               category: "external",
               summary: "RHBZ#2135770",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-40150",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
            },
            {
               category: "external",
               summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
               url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
            },
         ],
         release_date: "2022-09-20T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "jettison: memory exhaustion via user-supplied XML or JSON data",
      },
      {
         cve: "CVE-2022-42003",
         cwe: {
            id: "CWE-502",
            name: "Deserialization of Untrusted Data",
         },
         discovery_date: "2022-10-17T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135244",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-42003",
            },
            {
               category: "external",
               summary: "RHBZ#2135244",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-42003",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
            },
         ],
         release_date: "2022-10-02T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
      },
      {
         cve: "CVE-2022-42004",
         cwe: {
            id: "CWE-502",
            name: "Deserialization of Untrusted Data",
         },
         discovery_date: "2022-10-17T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135247",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jackson-databind: use of deeply nested arrays",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-42004",
            },
            {
               category: "external",
               summary: "RHBZ#2135247",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-42004",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
            },
         ],
         release_date: "2022-10-02T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jackson-databind: use of deeply nested arrays",
      },
      {
         cve: "CVE-2022-42889",
         cwe: {
            id: "CWE-1188",
            name: "Initialization of a Resource with an Insecure Default",
         },
         discovery_date: "2022-10-15T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2135435",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9.  The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "apache-commons-text: variable interpolation RCE",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n  - Usage of specific methods that interpolate the variables as described in the flaw\n  - Usage of external input for those methods\n  - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-42889",
            },
            {
               category: "external",
               summary: "RHBZ#2135435",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-42889",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
            },
            {
               category: "external",
               summary: "https://blogs.apache.org/security/entry/cve-2022-42889",
               url: "https://blogs.apache.org/security/entry/cve-2022-42889",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
               url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
            },
            {
               category: "external",
               summary: "https://seclists.org/oss-sec/2022/q4/22",
               url: "https://seclists.org/oss-sec/2022/q4/22",
            },
         ],
         release_date: "2022-10-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
            {
               category: "workaround",
               details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "apache-commons-text: variable interpolation RCE",
      },
      {
         cve: "CVE-2022-45693",
         cwe: {
            id: "CWE-787",
            name: "Out-of-bounds Write",
         },
         discovery_date: "2022-12-23T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155970",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-45693",
            },
            {
               category: "external",
               summary: "RHBZ#2155970",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155970",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-45693",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-45693",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
      },
      {
         cve: "CVE-2022-46363",
         cwe: {
            id: "CWE-20",
            name: "Improper Input Validation",
         },
         discovery_date: "2022-12-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155681",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "CXF: directory listing / code exfiltration",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "RHBZ#2155681",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
               url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "CXF: directory listing / code exfiltration",
      },
      {
         cve: "CVE-2022-46364",
         cwe: {
            id: "CWE-918",
            name: "Server-Side Request Forgery (SSRF)",
         },
         discovery_date: "2022-12-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155682",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "CXF: SSRF Vulnerability",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-46364",
            },
            {
               category: "external",
               summary: "RHBZ#2155682",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-46364",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-46364",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
            },
            {
               category: "external",
               summary: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2",
               url: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "CXF: SSRF Vulnerability",
      },
      {
         cve: "CVE-2023-1108",
         cwe: {
            id: "CWE-835",
            name: "Loop with Unreachable Exit Condition ('Infinite Loop')",
         },
         discovery_date: "2023-02-07T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2174246",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "Undertow: Infinite loop in SslConduit during close",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHPAM 7.13.1 async",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-1108",
            },
            {
               category: "external",
               summary: "RHBZ#2174246",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-1108",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-1108",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108",
            },
            {
               category: "external",
               summary: "https://github.com/advisories/GHSA-m4mm-pg93-fv78",
               url: "https://github.com/advisories/GHSA-m4mm-pg93-fv78",
            },
         ],
         release_date: "2023-03-07T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-05-04T15:59:31+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHPAM 7.13.1 async",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:2135",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHPAM 7.13.1 async",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "Undertow: Infinite loop in SslConduit during close",
      },
   ],
}

rhsa-2023:3906

Vulnerability from csaf_redhat

Published

2023-06-28 15:59

Modified

2025-03-14 23:59

Summary

Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update

Notes

Topic

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.",
            title: "Topic",
         },
         {
            category: "general",
            text: "A security update for Camel K 1.10.1 is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed with this release.\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370)\n\n* codehaus-plexus: Directory Traversal (CVE-2022-4244)\n\n* codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245)\n\n* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)\n\n* jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)\n\n* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2023:3906",
            url: "https://access.redhat.com/errata/RHSA-2023:3906",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2",
            url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2",
         },
         {
            category: "external",
            summary: "2145205",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205",
         },
         {
            category: "external",
            summary: "2149841",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841",
         },
         {
            category: "external",
            summary: "2149843",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
         },
         {
            category: "external",
            summary: "2153399",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399",
         },
         {
            category: "external",
            summary: "2155681",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681",
         },
         {
            category: "external",
            summary: "2188542",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3906.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update",
      tracking: {
         current_release_date: "2025-03-14T23:59:20+00:00",
         generator: {
            date: "2025-03-14T23:59:20+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.4.1",
            },
         },
         id: "RHSA-2023:3906",
         initial_release_date: "2023-06-28T15:59:12+00:00",
         revision_history: [
            {
               date: "2023-06-28T15:59:12+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2023-06-28T15:59:12+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2025-03-14T23:59:20+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "RHINT Camel-K-1.10.1",
                        product: {
                           name: "RHINT Camel-K-1.10.1",
                           product_id: "RHINT Camel-K-1.10.1",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:camel_k:1",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Integration",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2022-4244",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149841",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: Directory Traversal",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Single Sign-On uses this package for testing purposes and is not delivered with the distribution. Hence not affected status.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4244",
            },
            {
               category: "external",
               summary: "RHBZ#2149841",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: Directory Traversal",
      },
      {
         cve: "CVE-2022-4245",
         cwe: {
            id: "CWE-91",
            name: "XML Injection (aka Blind XPath Injection)",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149843",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: XML External Entity (XXE) Injection",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4245",
            },
            {
               category: "external",
               summary: "RHBZ#2149843",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: XML External Entity (XXE) Injection",
      },
      {
         cve: "CVE-2022-39368",
         cwe: {
            id: "CWE-459",
            name: "Incomplete Cleanup",
         },
         discovery_date: "2022-11-23T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2145205",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the Eclipse Californium Scandium package. This issue occurs when failing handshakes don't clean up counters for throttling, causing the threshold to be reached without being released again, resulting in a denial of service. An attacker could submit a high quantity of server requests, leaving the server unable to respond.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "scandium: Failing DTLS handshakes may cause throttling to block processing of records",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-39368",
            },
            {
               category: "external",
               summary: "RHBZ#2145205",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-39368",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-39368",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368",
            },
            {
               category: "external",
               summary: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc",
               url: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc",
            },
         ],
         release_date: "2022-11-10T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "scandium: Failing DTLS handshakes may cause throttling to block processing of records",
      },
      {
         cve: "CVE-2022-41946",
         cwe: {
            id: "CWE-377",
            name: "Insecure Temporary File",
         },
         discovery_date: "2022-12-14T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2153399",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-41946",
            },
            {
               category: "external",
               summary: "RHBZ#2153399",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-41946",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
            },
         ],
         release_date: "2022-11-23T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 5.5,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions",
      },
      {
         cve: "CVE-2022-46363",
         cwe: {
            id: "CWE-20",
            name: "Improper Input Validation",
         },
         discovery_date: "2022-12-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155681",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "CXF: directory listing / code exfiltration",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "RHBZ#2155681",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
               url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "CXF: directory listing / code exfiltration",
      },
      {
         cve: "CVE-2023-1370",
         cwe: {
            id: "CWE-674",
            name: "Uncontrolled Recursion",
         },
         discovery_date: "2023-04-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2188542",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-1370",
            },
            {
               category: "external",
               summary: "RHBZ#2188542",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-1370",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
            },
            {
               category: "external",
               summary: "https://github.com/advisories/GHSA-493p-pfq6-5258",
               url: "https://github.com/advisories/GHSA-493p-pfq6-5258",
            },
            {
               category: "external",
               summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
               url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
            },
         ],
         release_date: "2023-03-22T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
      },
   ],
}

RHSA-2023:3906

Vulnerability from csaf_redhat

Published

2023-06-28 15:59

Modified

2025-03-14 23:59

Summary

Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update

Notes

Topic

Details

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.",
            title: "Topic",
         },
         {
            category: "general",
            text: "A security update for Camel K 1.10.1 is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed with this release.\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370)\n\n* codehaus-plexus: Directory Traversal (CVE-2022-4244)\n\n* codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245)\n\n* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)\n\n* jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)\n\n* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2023:3906",
            url: "https://access.redhat.com/errata/RHSA-2023:3906",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2",
            url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2",
         },
         {
            category: "external",
            summary: "2145205",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205",
         },
         {
            category: "external",
            summary: "2149841",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841",
         },
         {
            category: "external",
            summary: "2149843",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
         },
         {
            category: "external",
            summary: "2153399",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399",
         },
         {
            category: "external",
            summary: "2155681",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681",
         },
         {
            category: "external",
            summary: "2188542",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3906.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update",
      tracking: {
         current_release_date: "2025-03-14T23:59:20+00:00",
         generator: {
            date: "2025-03-14T23:59:20+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.4.1",
            },
         },
         id: "RHSA-2023:3906",
         initial_release_date: "2023-06-28T15:59:12+00:00",
         revision_history: [
            {
               date: "2023-06-28T15:59:12+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2023-06-28T15:59:12+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2025-03-14T23:59:20+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "RHINT Camel-K-1.10.1",
                        product: {
                           name: "RHINT Camel-K-1.10.1",
                           product_id: "RHINT Camel-K-1.10.1",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:camel_k:1",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Integration",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2022-4244",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149841",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: Directory Traversal",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Single Sign-On uses this package for testing purposes and is not delivered with the distribution. Hence not affected status.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4244",
            },
            {
               category: "external",
               summary: "RHBZ#2149841",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4244",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: Directory Traversal",
      },
      {
         cve: "CVE-2022-4245",
         cwe: {
            id: "CWE-91",
            name: "XML Injection (aka Blind XPath Injection)",
         },
         discovery_date: "2022-12-01T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2149843",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "codehaus-plexus: XML External Entity (XXE) Injection",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-4245",
            },
            {
               category: "external",
               summary: "RHBZ#2149843",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-4245",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
            },
         ],
         release_date: "2022-12-01T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "codehaus-plexus: XML External Entity (XXE) Injection",
      },
      {
         cve: "CVE-2022-39368",
         cwe: {
            id: "CWE-459",
            name: "Incomplete Cleanup",
         },
         discovery_date: "2022-11-23T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2145205",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the Eclipse Californium Scandium package. This issue occurs when failing handshakes don't clean up counters for throttling, causing the threshold to be reached without being released again, resulting in a denial of service. An attacker could submit a high quantity of server requests, leaving the server unable to respond.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "scandium: Failing DTLS handshakes may cause throttling to block processing of records",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-39368",
            },
            {
               category: "external",
               summary: "RHBZ#2145205",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-39368",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-39368",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368",
            },
            {
               category: "external",
               summary: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc",
               url: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc",
            },
         ],
         release_date: "2022-11-10T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "scandium: Failing DTLS handshakes may cause throttling to block processing of records",
      },
      {
         cve: "CVE-2022-41946",
         cwe: {
            id: "CWE-377",
            name: "Insecure Temporary File",
         },
         discovery_date: "2022-12-14T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2153399",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-41946",
            },
            {
               category: "external",
               summary: "RHBZ#2153399",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-41946",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
            },
         ],
         release_date: "2022-11-23T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 5.5,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions",
      },
      {
         cve: "CVE-2022-46363",
         cwe: {
            id: "CWE-20",
            name: "Improper Input Validation",
         },
         discovery_date: "2022-12-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2155681",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "CXF: directory listing / code exfiltration",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "RHBZ#2155681",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
               url: "https://www.cve.org/CVERecord?id=CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
            },
            {
               category: "external",
               summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
               url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
            },
         ],
         release_date: "2022-12-13T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "CXF: directory listing / code exfiltration",
      },
      {
         cve: "CVE-2023-1370",
         cwe: {
            id: "CWE-674",
            name: "Uncontrolled Recursion",
         },
         discovery_date: "2023-04-21T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2188542",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHINT Camel-K-1.10.1",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-1370",
            },
            {
               category: "external",
               summary: "RHBZ#2188542",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-1370",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
            },
            {
               category: "external",
               summary: "https://github.com/advisories/GHSA-493p-pfq6-5258",
               url: "https://github.com/advisories/GHSA-493p-pfq6-5258",
            },
            {
               category: "external",
               summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
               url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
            },
         ],
         release_date: "2023-03-22T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-06-28T15:59:12+00:00",
               details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "RHINT Camel-K-1.10.1",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2023:3906",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHINT Camel-K-1.10.1",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
      },
   ],
}

fkie_cve-2022-4245

Vulnerability from fkie_nvd

Published

2023-09-25 20:15

Modified

2024-11-21 07:34

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

References

URL	Tags
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2023:2135	Third Party Advisory
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2023:3906	Third Party Advisory
secalert@redhat.com	https://access.redhat.com/security/cve/CVE-2022-4245	Third Party Advisory
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=2149843	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2023:2135	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2023:3906	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/security/cve/CVE-2022-4245	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=2149843	Issue Tracking, Third Party Advisory

Impacted products

	Vendor	Product	Version
	codehaus-plexus	plexus-utils	*
	redhat	integration_camel_k	*

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:codehaus-plexus:plexus-utils:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "EA55EA05-9741-46F1-95D7-6F4E2ACAEE8A",
                     versionEndExcluding: "3.0.24",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:redhat:integration_camel_k:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0E66C6CC-DA05-4BF4-84B5-D537606B0467",
                     versionEndExcluding: "1.10.1",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
      },
      {
         lang: "es",
         value: "Se encontró una falla en codehaus-plexus. El org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment no puede sanitizar los comentarios para una secuencia --&gt;. Este problema significa que el texto contenido en la cadena de comando podría interpretarse como XML y permitir la inyección de XML.",
      },
   ],
   id: "CVE-2022-4245",
   lastModified: "2024-11-21T07:34:51.700",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "secalert@redhat.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-09-25T20:15:10.400",
   references: [
      {
         source: "secalert@redhat.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://access.redhat.com/errata/RHSA-2023:2135",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://access.redhat.com/errata/RHSA-2023:3906",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://access.redhat.com/security/cve/CVE-2022-4245",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Issue Tracking",
            "Third Party Advisory",
         ],
         url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://access.redhat.com/errata/RHSA-2023:2135",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://access.redhat.com/errata/RHSA-2023:3906",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://access.redhat.com/security/cve/CVE-2022-4245",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Issue Tracking",
            "Third Party Advisory",
         ],
         url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
      },
   ],
   sourceIdentifier: "secalert@redhat.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-91",
            },
         ],
         source: "secalert@redhat.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-611",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

ncsc-2025-0064

Vulnerability from csaf_ncscnl

Published

2025-02-21 08:40

Modified

2025-02-21 08:40

Summary

Kwetsbaarheden verholpen in IBM Cognos Controller

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

IBM heeft kwetsbaarheden verholpen in IBM Cognos Controller (Versies 11.0.0 tot 11.0.1 FP3 en 11.1.0).

Interpretaties

De kwetsbaarheden stellen een kwaadwillende in staat om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade: - Denial-of-Service (DoS) - Cross-Site-Scripting (XSS) - Omzeilen van een beveiligingsmaatregel - Manipulatie van gegevens - Verkrijgen van verhoogde rechten - Uitvoer van willekeurige code (Gebruikersrechten) - Toegang tot gevoelige informatie De kwetsbaarheden bevinden zich zowel in de Cognos Controller-Applicatie zelf, als in onderliggende producten, zoals Java, Websphere Liberty, Apache Ant en diverse Open Source componenten, welke met Cognos Controller worden meegeleverd.

Oplossingen

IBM heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-130

Improper Handling of Length Parameter Inconsistency

CWE-399

CWE-379

Creation of Temporary File in Directory with Insecure Permissions

CWE-300

Channel Accessible by Non-Endpoint

CWE-798

Use of Hard-coded Credentials

CWE-284

Improper Access Control

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-295

Improper Certificate Validation

CWE-91

XML Injection (aka Blind XPath Injection)

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

CWE-502

Deserialization of Untrusted Data

CWE-377

Insecure Temporary File

CWE-863

Incorrect Authorization

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-611

Improper Restriction of XML External Entity Reference

CWE-787

Out-of-bounds Write

CWE-20

Improper Input Validation

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

JSON

To clipboard

{
   document: {
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
         },
      },
      lang: "nl",
      notes: [
         {
            category: "legal_disclaimer",
            text: "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.",
         },
         {
            category: "description",
            text: "IBM heeft kwetsbaarheden verholpen in IBM Cognos Controller (Versies 11.0.0 tot 11.0.1 FP3 en 11.1.0).",
            title: "Feiten",
         },
         {
            category: "description",
            text: "De kwetsbaarheden stellen een kwaadwillende in staat om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:\n\n- Denial-of-Service (DoS)\n- Cross-Site-Scripting (XSS)\n- Omzeilen van een beveiligingsmaatregel\n- Manipulatie van gegevens\n- Verkrijgen van verhoogde rechten\n- Uitvoer van willekeurige code (Gebruikersrechten)\n- Toegang tot gevoelige informatie\n\nDe kwetsbaarheden bevinden zich zowel in de Cognos Controller-Applicatie zelf, als in onderliggende producten, zoals Java, Websphere Liberty, Apache Ant en diverse Open Source componenten, welke met Cognos Controller worden meegeleverd.",
            title: "Interpretaties",
         },
         {
            category: "description",
            text: "IBM heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
            title: "Oplossingen",
         },
         {
            category: "general",
            text: "medium",
            title: "Kans",
         },
         {
            category: "general",
            text: "high",
            title: "Schade",
         },
         {
            category: "general",
            text: "Improper Handling of Length Parameter Inconsistency",
            title: "CWE-130",
         },
         {
            category: "general",
            text: "CWE-399",
            title: "CWE-399",
         },
         {
            category: "general",
            text: "Creation of Temporary File in Directory with Insecure Permissions",
            title: "CWE-379",
         },
         {
            category: "general",
            text: "Channel Accessible by Non-Endpoint",
            title: "CWE-300",
         },
         {
            category: "general",
            text: "Use of Hard-coded Credentials",
            title: "CWE-798",
         },
         {
            category: "general",
            text: "Improper Access Control",
            title: "CWE-284",
         },
         {
            category: "general",
            text: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",
            title: "CWE-1321",
         },
         {
            category: "general",
            text: "Improper Certificate Validation",
            title: "CWE-295",
         },
         {
            category: "general",
            text: "XML Injection (aka Blind XPath Injection)",
            title: "CWE-91",
         },
         {
            category: "general",
            text: "Improper Control of Generation of Code ('Code Injection')",
            title: "CWE-94",
         },
         {
            category: "general",
            text: "Use of a Broken or Risky Cryptographic Algorithm",
            title: "CWE-327",
         },
         {
            category: "general",
            text: "Uncontrolled Resource Consumption",
            title: "CWE-400",
         },
         {
            category: "general",
            text: "Allocation of Resources Without Limits or Throttling",
            title: "CWE-770",
         },
         {
            category: "general",
            text: "Deserialization of Untrusted Data",
            title: "CWE-502",
         },
         {
            category: "general",
            text: "Insecure Temporary File",
            title: "CWE-377",
         },
         {
            category: "general",
            text: "Incorrect Authorization",
            title: "CWE-863",
         },
         {
            category: "general",
            text: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
            title: "CWE-22",
         },
         {
            category: "general",
            text: "Improper Restriction of XML External Entity Reference",
            title: "CWE-611",
         },
         {
            category: "general",
            text: "Out-of-bounds Write",
            title: "CWE-787",
         },
         {
            category: "general",
            text: "Improper Input Validation",
            title: "CWE-20",
         },
         {
            category: "general",
            text: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
            title: "CWE-79",
         },
      ],
      publisher: {
         category: "coordinator",
         contact_details: "cert@ncsc.nl",
         name: "Nationaal Cyber Security Centrum",
         namespace: "https://www.ncsc.nl/",
      },
      references: [
         {
            category: "external",
            summary: "Reference - cveprojectv5; nvd",
            url: "https://www.ibm.com/support/pages/node/7183597",
         },
      ],
      title: "Kwetsbaarheden verholpen in IBM Cognos Controller",
      tracking: {
         current_release_date: "2025-02-21T08:40:26.849797Z",
         id: "NCSC-2025-0064",
         initial_release_date: "2025-02-21T08:40:26.849797Z",
         revision_history: [
            {
               date: "2025-02-21T08:40:26.849797Z",
               number: "0",
               summary: "Initiele versie",
            },
         ],
         status: "final",
         version: "1.0.0",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  category: "product_name",
                  name: "cognos_controller",
                  product: {
                     name: "cognos_controller",
                     product_id: "CSAFPID-1698100",
                     product_identification_helper: {
                        cpe: "cpe:2.3:a:ibm:cognos_controller:*:*:*:*:*:*:*:*",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "ibm",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2020-11979",
         cwe: {
            id: "CWE-377",
            name: "Insecure Temporary File",
         },
         notes: [
            {
               category: "other",
               text: "Insecure Temporary File",
               title: "CWE-377",
            },
            {
               category: "other",
               text: "Creation of Temporary File in Directory with Insecure Permissions",
               title: "CWE-379",
            },
            {
               category: "other",
               text: "Improper Control of Generation of Code ('Code Injection')",
               title: "CWE-94",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2020-11979",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-11979.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2020-11979",
      },
      {
         cve: "CVE-2021-36373",
         cwe: {
            id: "CWE-770",
            name: "Allocation of Resources Without Limits or Throttling",
         },
         notes: [
            {
               category: "other",
               text: "Allocation of Resources Without Limits or Throttling",
               title: "CWE-770",
            },
            {
               category: "other",
               text: "Improper Handling of Length Parameter Inconsistency",
               title: "CWE-130",
            },
            {
               category: "other",
               text: "CWE-399",
               title: "CWE-399",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2021-36373",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-36373.json",
            },
         ],
         title: "CVE-2021-36373",
      },
      {
         cve: "CVE-2021-36374",
         cwe: {
            id: "CWE-130",
            name: "Improper Handling of Length Parameter Inconsistency",
         },
         notes: [
            {
               category: "other",
               text: "Improper Handling of Length Parameter Inconsistency",
               title: "CWE-130",
            },
            {
               category: "other",
               text: "CWE-399",
               title: "CWE-399",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2021-36374",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-36374.json",
            },
         ],
         title: "CVE-2021-36374",
      },
      {
         cve: "CVE-2022-4244",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         notes: [
            {
               category: "other",
               text: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
               title: "CWE-22",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2022-4244",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-4244.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2022-4244",
      },
      {
         cve: "CVE-2022-4245",
         cwe: {
            id: "CWE-91",
            name: "XML Injection (aka Blind XPath Injection)",
         },
         notes: [
            {
               category: "other",
               text: "XML Injection (aka Blind XPath Injection)",
               title: "CWE-91",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2022-4245",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-4245.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2022-4245",
      },
      {
         cve: "CVE-2023-47160",
         cwe: {
            id: "CWE-611",
            name: "Improper Restriction of XML External Entity Reference",
         },
         notes: [
            {
               category: "other",
               text: "Improper Restriction of XML External Entity Reference",
               title: "CWE-611",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2023-47160",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-47160.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2023-47160",
      },
      {
         cve: "CVE-2023-50314",
         cwe: {
            id: "CWE-295",
            name: "Improper Certificate Validation",
         },
         notes: [
            {
               category: "other",
               text: "Improper Certificate Validation",
               title: "CWE-295",
            },
            {
               category: "general",
               text: "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
               title: "CVSSV4",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2023-50314",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-50314.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2023-50314",
      },
      {
         cve: "CVE-2024-21131",
         cwe: {
            id: "CWE-284",
            name: "Improper Access Control",
         },
         notes: [
            {
               category: "other",
               text: "Improper Access Control",
               title: "CWE-284",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2024-21131",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21131.json",
            },
         ],
         title: "CVE-2024-21131",
      },
      {
         cve: "CVE-2024-21144",
         cwe: {
            id: "CWE-20",
            name: "Improper Input Validation",
         },
         notes: [
            {
               category: "other",
               text: "Improper Input Validation",
               title: "CWE-20",
            },
            {
               category: "other",
               text: "Uncontrolled Resource Consumption",
               title: "CWE-400",
            },
            {
               category: "other",
               text: "Improper Access Control",
               title: "CWE-284",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2024-21144",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21144.json",
            },
         ],
         title: "CVE-2024-21144",
      },
      {
         cve: "CVE-2024-21145",
         cwe: {
            id: "CWE-787",
            name: "Out-of-bounds Write",
         },
         notes: [
            {
               category: "other",
               text: "Out-of-bounds Write",
               title: "CWE-787",
            },
            {
               category: "other",
               text: "Improper Access Control",
               title: "CWE-284",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2024-21145",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21145.json",
            },
         ],
         title: "CVE-2024-21145",
      },
      {
         cve: "CVE-2024-27267",
         cwe: {
            id: "CWE-300",
            name: "Channel Accessible by Non-Endpoint",
         },
         notes: [
            {
               category: "other",
               text: "Channel Accessible by Non-Endpoint",
               title: "CWE-300",
            },
            {
               category: "general",
               text: "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
               title: "CVSSV4",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2024-27267",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-27267.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2024-27267",
      },
      {
         cve: "CVE-2024-28776",
         cwe: {
            id: "CWE-79",
            name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
         },
         notes: [
            {
               category: "other",
               text: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
               title: "CWE-79",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2024-28776",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-28776.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 5.4,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2024-28776",
      },
      {
         cve: "CVE-2024-28777",
         cwe: {
            id: "CWE-502",
            name: "Deserialization of Untrusted Data",
         },
         notes: [
            {
               category: "other",
               text: "Deserialization of Untrusted Data",
               title: "CWE-502",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2024-28777",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-28777.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 8.8,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2024-28777",
      },
      {
         cve: "CVE-2024-28780",
         cwe: {
            id: "CWE-327",
            name: "Use of a Broken or Risky Cryptographic Algorithm",
         },
         notes: [
            {
               category: "other",
               text: "Use of a Broken or Risky Cryptographic Algorithm",
               title: "CWE-327",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2024-28780",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-28780.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2024-28780",
      },
      {
         cve: "CVE-2024-38999",
         cwe: {
            id: "CWE-1321",
            name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",
         },
         notes: [
            {
               category: "other",
               text: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",
               title: "CWE-1321",
            },
            {
               category: "general",
               text: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
               title: "CVSSV4",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2024-38999",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38999.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 10,
                  baseSeverity: "CRITICAL",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2024-38999",
      },
      {
         cve: "CVE-2024-45081",
         cwe: {
            id: "CWE-863",
            name: "Incorrect Authorization",
         },
         notes: [
            {
               category: "other",
               text: "Incorrect Authorization",
               title: "CWE-863",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2024-45081",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45081.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 6.5,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2024-45081",
      },
      {
         cve: "CVE-2024-45084",
         cwe: {
            id: "CWE-502",
            name: "Deserialization of Untrusted Data",
         },
         notes: [
            {
               category: "other",
               text: "Deserialization of Untrusted Data",
               title: "CWE-502",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2024-45084",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45084.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 8,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2024-45084",
      },
      {
         cve: "CVE-2024-52902",
         cwe: {
            id: "CWE-798",
            name: "Use of Hard-coded Credentials",
         },
         notes: [
            {
               category: "other",
               text: "Use of Hard-coded Credentials",
               title: "CWE-798",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-1698100",
            ],
         },
         references: [
            {
               category: "self",
               summary: "CVE-2024-52902",
               url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-52902.json",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 8.8,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-1698100",
               ],
            },
         ],
         title: "CVE-2024-52902",
      },
   ],
}

gsd-2022-4245

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2022-4245

Aliases

CVE-2022-4245

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2022-4245",
      id: "GSD-2022-4245",
      references: [
         "https://www.suse.com/security/cve/CVE-2022-4245.html",
      ],
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2022-4245",
         ],
         details: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
         id: "GSD-2022-4245",
         modified: "2023-12-13T01:19:16.030505Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "secalert@redhat.com",
            ID: "CVE-2022-4245",
            STATE: "PUBLIC",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "codehaus-plexus",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          versions: [
                                             {
                                                status: "unaffected",
                                                version: "3.0.24",
                                             },
                                          ],
                                       },
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "n/a",
                  },
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "Red Hat Integration Camel K",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "A-MQ Clients 2",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat A-MQ Online",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat build of Quarkus",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Data Grid 8",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Decision Manager 7",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unknown",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Enterprise Linux 7",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unknown",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Enterprise Linux 8",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Enterprise Linux 9",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Integration Camel for Spring Boot",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Integration Camel Quarkus",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Integration Change Data Capture",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Integration Service Registry",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat JBoss A-MQ 7",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat JBoss Data Grid 7",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unknown",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat JBoss Enterprise Application Platform 6",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unknown",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat JBoss Enterprise Application Platform 7",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat JBoss Fuse 6",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unknown",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat JBoss Fuse 7",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat JBoss Fuse Service Works 6",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unknown",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat JBoss Web Server 3",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unknown",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat JBoss Web Server 5",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat OpenShift Application Runtimes",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Process Automation 7",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Single Sign-On 7",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat Software Collections",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "unaffected",
                                       },
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Red Hat support for Spring Boot",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "Red Hat",
                  },
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "Fedora 37",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                    {
                                       version_value: "not down converted",
                                       x_cve_json_5_version_data: {
                                          defaultStatus: "affected",
                                       },
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "Fedora",
                  },
               ],
            },
         },
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
               },
            ],
         },
         impact: {
            cvss: [
               {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
            ],
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        cweId: "CWE-91",
                        lang: "eng",
                        value: "XML Injection (aka Blind XPath Injection)",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "https://access.redhat.com/errata/RHSA-2023:3906",
                  refsource: "MISC",
                  url: "https://access.redhat.com/errata/RHSA-2023:3906",
               },
               {
                  name: "https://access.redhat.com/security/cve/CVE-2022-4245",
                  refsource: "MISC",
                  url: "https://access.redhat.com/security/cve/CVE-2022-4245",
               },
               {
                  name: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
                  refsource: "MISC",
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
               },
            ],
         },
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:codehaus-plexus_project:codehaus-plexus:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "3.0.24",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:redhat:integration_camel_k:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "1.10.1",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "secalert@redhat.com",
               ID: "CVE-2022-4245",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-611",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://access.redhat.com/security/cve/CVE-2022-4245",
                     refsource: "MISC",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "https://access.redhat.com/security/cve/CVE-2022-4245",
                  },
                  {
                     name: "https://access.redhat.com/errata/RHSA-2023:3906",
                     refsource: "MISC",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "https://access.redhat.com/errata/RHSA-2023:3906",
                  },
                  {
                     name: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
                     refsource: "MISC",
                     tags: [
                        "Issue Tracking",
                        "Third Party Advisory",
                     ],
                     url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
                  },
               ],
            },
         },
         impact: {
            baseMetricV3: {
               cvssV3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               exploitabilityScore: 2.8,
               impactScore: 1.4,
            },
         },
         lastModifiedDate: "2023-10-02T19:27Z",
         publishedDate: "2023-09-25T20:15Z",
      },
   },
}

ghsa-jcwr-x25h-x5fh

Vulnerability from github

Published

2023-09-25 21:30

Modified

2024-05-03 20:26

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

codehaus-plexus vulnerable to XML injection

Details

A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.

Show details on source website

JSON

To clipboard

{
   affected: [
      {
         package: {
            ecosystem: "Maven",
            name: "org.codehaus.plexus:plexus-utils",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "0",
                  },
                  {
                     fixed: "3.0.24",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
   ],
   aliases: [
      "CVE-2022-4245",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-611",
         "CWE-91",
      ],
      github_reviewed: true,
      github_reviewed_at: "2023-09-26T19:38:53Z",
      nvd_published_at: "2023-09-25T20:15:10Z",
      severity: "MODERATE",
   },
   details: "A flaw was found in codehaus-plexus. The `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment` fails to sanitize comments for a `-->` sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. ",
   id: "GHSA-jcwr-x25h-x5fh",
   modified: "2024-05-03T20:26:14Z",
   published: "2023-09-25T21:30:26Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
      },
      {
         type: "WEB",
         url: "https://github.com/codehaus-plexus/plexus-utils/issues/3",
      },
      {
         type: "WEB",
         url: "https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de",
      },
      {
         type: "WEB",
         url: "https://access.redhat.com/errata/RHSA-2023:2135",
      },
      {
         type: "WEB",
         url: "https://access.redhat.com/errata/RHSA-2023:3906",
      },
      {
         type: "WEB",
         url: "https://access.redhat.com/security/cve/CVE-2022-4245",
      },
      {
         type: "WEB",
         url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/codehaus-plexus/plexus-utils",
      },
      {
         type: "WEB",
         url: "https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-461102",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
         type: "CVSS_V3",
      },
   ],
   summary: "codehaus-plexus vulnerable to XML injection",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

Vulnerability from cvelistv5

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from fkie_nvd

Vulnerability from csaf_ncscnl

Vulnerability from gsd

Vulnerability from github

Tags

Sightings

Nomenclature