Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-44729 (GCVE-0-2022-44729)
Vulnerability from cvelistv5 – Published: 2023-08-22 14:12 – Updated: 2025-02-13 16:33
VLAI?
EPSS
Summary
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.
On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.
Severity ?
No CVSS data available.
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache XML Graphics Batik |
Affected:
1.16
|
Credits
nbxiglk
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:01:31.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xmlgraphics.apache.org/security.html"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/4"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202401-11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache XML Graphics Batik",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.16"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nbxiglk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.\u003cp\u003eThis issue affects Apache XML Graphics Batik: 1.16.\u003c/p\u003e\u003cp\u003eOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-07T11:06:27.331Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://xmlgraphics.apache.org/security.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/4"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"
},
{
"url": "https://security.gentoo.org/glsa/202401-11"
}
],
"source": {
"defect": [
"BATIK-1349"
],
"discovery": "UNKNOWN"
},
"title": "Apache XML Graphics Batik: Information disclosure vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-44729",
"datePublished": "2023-08-22T14:12:50.301Z",
"dateReserved": "2022-11-04T09:23:15.973Z",
"dateUpdated": "2025-02-13T16:33:42.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:xml_graphics_batik:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.0\", \"versionEndIncluding\": \"1.16\", \"matchCriteriaId\": \"F47BF012-F21F-4B92-ADE7-957E3FE338E0\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\\n\\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.\\n\\n\"}]",
"id": "CVE-2022-44729",
"lastModified": "2024-11-21T07:28:22.877",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.2}]}",
"published": "2023-08-22T19:16:29.833",
"references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2023/08/22/2\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/08/22/4\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://security.gentoo.org/glsa/202401-11\", \"source\": \"security@apache.org\"}, {\"url\": \"https://xmlgraphics.apache.org/security.html\", \"source\": \"security@apache.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/08/22/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/08/22/4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://security.gentoo.org/glsa/202401-11\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://xmlgraphics.apache.org/security.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-44729\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2023-08-22T19:16:29.833\",\"lastModified\":\"2025-02-13T17:15:46.920\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\\n\\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:xml_graphics_batik:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0\",\"versionEndIncluding\":\"1.16\",\"matchCriteriaId\":\"F47BF012-F21F-4B92-ADE7-957E3FE338E0\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2023/08/22/2\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/08/22/4\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://security.gentoo.org/glsa/202401-11\",\"source\":\"security@apache.org\"},{\"url\":\"https://xmlgraphics.apache.org/security.html\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/08/22/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/08/22/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://security.gentoo.org/glsa/202401-11\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://xmlgraphics.apache.org/security.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
CERTFR-2024-AVI-0040
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Atlassian Confluence et Jira. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Atlassian | Confluence | Confluence Data Center versions LTS 8.5.x antérieures à la version 8.5.5 | ||
| Atlassian | Confluence | Confluence Data Center versions 8.x antérieures à la version 8.7.2 | ||
| Atlassian | Jira | Jira Service Management Data Center et Jira Service Management Server versions 4.20.x antérieures à la version 4.20.30 | ||
| Atlassian | Jira | Jira Data Center et Jira Server versions 9.x antérieures à la version 9.7.0 | ||
| Atlassian | Confluence | Confluence Data Center versions 7.x antérieures à la version 7.19.18 | ||
| Atlassian | Confluence | Confluence Server versions 7.x antérieures à la version 7.19.18 | ||
| Atlassian | Confluence | Confluence Server versions 8.5.x antérieures à la version 8.5.5 | ||
| Atlassian | Jira | Jira Service Management Data Center et Jira Service Management Server versions 5.x antérieures à la version 5.12.2 | ||
| Atlassian | Jira | Jira Service Management Data Center et Jira Service Management Server versions LTS 5.4.x antérieures à la version 5.4.15 | ||
| Atlassian | Jira | Jira Data Center et Jira Server versions LTS 9.4.x antérieures à la version 9.4.13 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Confluence Data Center versions LTS 8.5.x ant\u00e9rieures \u00e0 la version 8.5.5",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 8.x ant\u00e9rieures \u00e0 la version 8.7.2",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center et Jira Service Management Server versions 4.20.x ant\u00e9rieures \u00e0 la version 4.20.30",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Data Center et Jira Server versions 9.x ant\u00e9rieures \u00e0 la version 9.7.0",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 7.x ant\u00e9rieures \u00e0 la version 7.19.18",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Server versions 7.x ant\u00e9rieures \u00e0 la version 7.19.18",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Server versions 8.5.x ant\u00e9rieures \u00e0 la version 8.5.5",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center et Jira Service Management Server versions 5.x ant\u00e9rieures \u00e0 la version 5.12.2",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center et Jira Service Management Server versions LTS 5.4.x ant\u00e9rieures \u00e0 la version 5.4.15",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Data Center et Jira Server versions LTS 9.4.x ant\u00e9rieures \u00e0 la version 9.4.13",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2024-21672",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21672"
},
{
"name": "CVE-2023-22527",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22527"
},
{
"name": "CVE-2022-42252",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42252"
},
{
"name": "CVE-2023-3635",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3635"
},
{
"name": "CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"name": "CVE-2020-25649",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25649"
},
{
"name": "CVE-2023-22526",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22526"
},
{
"name": "CVE-2024-21673",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21673"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0040",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-01-16T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Atlassian\nConfluence et Jira. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Atlassian Confluence et Jira",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian 1333335615 du 16 janvier 2024",
"url": "https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian 1333990257 du 16 janvier 2024",
"url": "https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"
}
]
}
CERTFR-2023-AVI-0958
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM WebSphere Application Server Liberty versions 18.0.0.2 \u00e0 23.0.0.11 ant\u00e9rieures \u00e0 23.0.0.12",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM versions 7.5 ant\u00e9rieures \u00e0 7.5.0 UP7 IF02",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar Network Packet Capture versions 7.5 ant\u00e9rieures \u00e0 7.5 UP7",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-20900",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20900"
},
{
"name": "CVE-2020-22218",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-22218"
},
{
"name": "CVE-2023-43057",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43057"
},
{
"name": "CVE-2023-35788",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35788"
},
{
"name": "CVE-2023-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
},
{
"name": "CVE-2023-2828",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2828"
},
{
"name": "CVE-2023-3899",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3899"
},
{
"name": "CVE-2023-20593",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20593"
},
{
"name": "CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"name": "CVE-2023-3341",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3341"
},
{
"name": "CVE-2022-48339",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48339"
},
{
"name": "CVE-2022-44730",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44730"
},
{
"name": "CVE-2022-4839",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4839"
},
{
"name": "CVE-2023-24329",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24329"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0958",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-11-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits IBM\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une ex\u00e9cution de code\narbitraire \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7070736 du 10 novembre 2023",
"url": "https://www.ibm.com/support/pages/node/7070736"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7077065 du 15 novembre 2023",
"url": "https://www.ibm.com/support/pages/node/7077065"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7076252 du 15 novembre 2023",
"url": "https://www.ibm.com/support/pages/node/7076252"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7073360 du 14 novembre 2023",
"url": "https://www.ibm.com/support/pages/node/7073360"
}
]
}
CERTFR-2023-AVI-0950
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Juniper Secure Analytics. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Juniper Networks | Secure Analytics | Juniper Secure Analytics (JSA) versions antérieures à 7.5.0 UP7 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Juniper Secure Analytics (JSA) versions ant\u00e9rieures \u00e0 7.5.0 UP7",
"product": {
"name": "Secure Analytics",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-20900",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20900"
},
{
"name": "CVE-2020-22218",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-22218"
},
{
"name": "CVE-2023-43057",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43057"
},
{
"name": "CVE-2023-35788",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35788"
},
{
"name": "CVE-2023-3899",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3899"
},
{
"name": "CVE-2023-20593",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20593"
},
{
"name": "CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"name": "CVE-2023-3341",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3341"
},
{
"name": "CVE-2022-44730",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44730"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0950",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-11-16T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eJuniper Secure Analytics\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, un d\u00e9ni de service \u00e0 distance et un contournement de la\npolitique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Juniper Secure Analytics",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper du 16 novembre 2023",
"url": "https://supportportal.juniper.net/s/article/2023-11-Security-Bulletin-JSA-Series-Multiple-vulnerabilities-resolved?language=en_US"
}
]
}
CERTFR-2023-AVI-0860
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Oracle Database Server. Elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | Database Server | Oracle Database Server versions 19.3-19.20 et 21.3-21.11 sans les derniers correctifs de sécurité |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle Database Server versions 19.3-19.20 et 21.3-21.11 sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-22096",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22096"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2022-40897",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40897"
},
{
"name": "CVE-2023-28320",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28320"
},
{
"name": "CVE-2023-35116",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35116"
},
{
"name": "CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"name": "CVE-2023-22077",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22077"
},
{
"name": "CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"name": "CVE-2023-38325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38325"
},
{
"name": "CVE-2023-22073",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22073"
},
{
"name": "CVE-2023-22071",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22071"
},
{
"name": "CVE-2022-40896",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40896"
},
{
"name": "CVE-2023-22075",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22075"
},
{
"name": "CVE-2023-22074",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22074"
},
{
"name": "CVE-2023-38039",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38039"
},
{
"name": "CVE-2022-23491",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23491"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0860",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Database\nServer. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service\n\u00e0 distance, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2023verbose du 17 octobre 2023",
"url": "https://www.oracle.com/security-alerts/cpuoct2023verbose.html#DB"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2023 du 17 octobre 2023",
"url": "https://www.oracle.com/security-alerts/cpuoct2023.html"
}
]
}
CERTFR-2024-AVI-0040
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Atlassian Confluence et Jira. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Atlassian | Confluence | Confluence Data Center versions LTS 8.5.x antérieures à la version 8.5.5 | ||
| Atlassian | Confluence | Confluence Data Center versions 8.x antérieures à la version 8.7.2 | ||
| Atlassian | Jira | Jira Service Management Data Center et Jira Service Management Server versions 4.20.x antérieures à la version 4.20.30 | ||
| Atlassian | Jira | Jira Data Center et Jira Server versions 9.x antérieures à la version 9.7.0 | ||
| Atlassian | Confluence | Confluence Data Center versions 7.x antérieures à la version 7.19.18 | ||
| Atlassian | Confluence | Confluence Server versions 7.x antérieures à la version 7.19.18 | ||
| Atlassian | Confluence | Confluence Server versions 8.5.x antérieures à la version 8.5.5 | ||
| Atlassian | Jira | Jira Service Management Data Center et Jira Service Management Server versions 5.x antérieures à la version 5.12.2 | ||
| Atlassian | Jira | Jira Service Management Data Center et Jira Service Management Server versions LTS 5.4.x antérieures à la version 5.4.15 | ||
| Atlassian | Jira | Jira Data Center et Jira Server versions LTS 9.4.x antérieures à la version 9.4.13 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Confluence Data Center versions LTS 8.5.x ant\u00e9rieures \u00e0 la version 8.5.5",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 8.x ant\u00e9rieures \u00e0 la version 8.7.2",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center et Jira Service Management Server versions 4.20.x ant\u00e9rieures \u00e0 la version 4.20.30",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Data Center et Jira Server versions 9.x ant\u00e9rieures \u00e0 la version 9.7.0",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 7.x ant\u00e9rieures \u00e0 la version 7.19.18",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Server versions 7.x ant\u00e9rieures \u00e0 la version 7.19.18",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Server versions 8.5.x ant\u00e9rieures \u00e0 la version 8.5.5",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center et Jira Service Management Server versions 5.x ant\u00e9rieures \u00e0 la version 5.12.2",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center et Jira Service Management Server versions LTS 5.4.x ant\u00e9rieures \u00e0 la version 5.4.15",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Data Center et Jira Server versions LTS 9.4.x ant\u00e9rieures \u00e0 la version 9.4.13",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2024-21672",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21672"
},
{
"name": "CVE-2023-22527",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22527"
},
{
"name": "CVE-2022-42252",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42252"
},
{
"name": "CVE-2023-3635",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3635"
},
{
"name": "CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"name": "CVE-2020-25649",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25649"
},
{
"name": "CVE-2023-22526",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22526"
},
{
"name": "CVE-2024-21673",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21673"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0040",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-01-16T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Atlassian\nConfluence et Jira. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Atlassian Confluence et Jira",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian 1333335615 du 16 janvier 2024",
"url": "https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian 1333990257 du 16 janvier 2024",
"url": "https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"
}
]
}
CERTFR-2023-AVI-0860
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Oracle Database Server. Elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | Database Server | Oracle Database Server versions 19.3-19.20 et 21.3-21.11 sans les derniers correctifs de sécurité |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle Database Server versions 19.3-19.20 et 21.3-21.11 sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-22096",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22096"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2022-40897",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40897"
},
{
"name": "CVE-2023-28320",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28320"
},
{
"name": "CVE-2023-35116",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35116"
},
{
"name": "CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"name": "CVE-2023-22077",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22077"
},
{
"name": "CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"name": "CVE-2023-38325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38325"
},
{
"name": "CVE-2023-22073",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22073"
},
{
"name": "CVE-2023-22071",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22071"
},
{
"name": "CVE-2022-40896",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40896"
},
{
"name": "CVE-2023-22075",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22075"
},
{
"name": "CVE-2023-22074",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22074"
},
{
"name": "CVE-2023-38039",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38039"
},
{
"name": "CVE-2022-23491",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23491"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0860",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Database\nServer. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service\n\u00e0 distance, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2023verbose du 17 octobre 2023",
"url": "https://www.oracle.com/security-alerts/cpuoct2023verbose.html#DB"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2023 du 17 octobre 2023",
"url": "https://www.oracle.com/security-alerts/cpuoct2023.html"
}
]
}
CERTFR-2023-AVI-0861
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Oracle WebLogic. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle WebLogic versions 12.2.1.3.0, 12.2.1.4.0 et 14.1.1.0.0 sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Weblogic",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-29599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29599"
},
{
"name": "CVE-2020-13956",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13956"
},
{
"name": "CVE-2023-22069",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22069"
},
{
"name": "CVE-2023-22086",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22086"
},
{
"name": "CVE-2022-29546",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29546"
},
{
"name": "CVE-2021-36374",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36374"
},
{
"name": "CVE-2023-35116",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35116"
},
{
"name": "CVE-2023-22072",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22072"
},
{
"name": "CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"name": "CVE-2023-22108",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22108"
},
{
"name": "CVE-2023-22089",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22089"
},
{
"name": "CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"name": "CVE-2023-2976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2976"
},
{
"name": "CVE-2023-22101",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22101"
},
{
"name": "CVE-2022-23491",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23491"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0861",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle WebLogic.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle WebLogic",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2023 verbose du 17 octobre 2023",
"url": "https://www.oracle.com/security-alerts/cpuoct2023verbose.html#FMW"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2023 du 17 octobre 2023",
"url": "https://www.oracle.com/security-alerts/cpuoct2023.html"
}
]
}
CERTFR-2023-AVI-0861
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Oracle WebLogic. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle WebLogic versions 12.2.1.3.0, 12.2.1.4.0 et 14.1.1.0.0 sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Weblogic",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-29599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29599"
},
{
"name": "CVE-2020-13956",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13956"
},
{
"name": "CVE-2023-22069",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22069"
},
{
"name": "CVE-2023-22086",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22086"
},
{
"name": "CVE-2022-29546",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29546"
},
{
"name": "CVE-2021-36374",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36374"
},
{
"name": "CVE-2023-35116",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35116"
},
{
"name": "CVE-2023-22072",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22072"
},
{
"name": "CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"name": "CVE-2023-22108",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22108"
},
{
"name": "CVE-2023-22089",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22089"
},
{
"name": "CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"name": "CVE-2023-2976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2976"
},
{
"name": "CVE-2023-22101",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22101"
},
{
"name": "CVE-2022-23491",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23491"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0861",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle WebLogic.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle WebLogic",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2023 verbose du 17 octobre 2023",
"url": "https://www.oracle.com/security-alerts/cpuoct2023verbose.html#FMW"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2023 du 17 octobre 2023",
"url": "https://www.oracle.com/security-alerts/cpuoct2023.html"
}
]
}
CERTFR-2023-AVI-0950
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Juniper Secure Analytics. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Juniper Networks | Secure Analytics | Juniper Secure Analytics (JSA) versions antérieures à 7.5.0 UP7 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Juniper Secure Analytics (JSA) versions ant\u00e9rieures \u00e0 7.5.0 UP7",
"product": {
"name": "Secure Analytics",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-20900",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20900"
},
{
"name": "CVE-2020-22218",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-22218"
},
{
"name": "CVE-2023-43057",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43057"
},
{
"name": "CVE-2023-35788",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35788"
},
{
"name": "CVE-2023-3899",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3899"
},
{
"name": "CVE-2023-20593",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20593"
},
{
"name": "CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"name": "CVE-2023-3341",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3341"
},
{
"name": "CVE-2022-44730",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44730"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0950",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-11-16T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eJuniper Secure Analytics\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, un d\u00e9ni de service \u00e0 distance et un contournement de la\npolitique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Juniper Secure Analytics",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper du 16 novembre 2023",
"url": "https://supportportal.juniper.net/s/article/2023-11-Security-Bulletin-JSA-Series-Multiple-vulnerabilities-resolved?language=en_US"
}
]
}
CERTFR-2023-AVI-0958
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM WebSphere Application Server Liberty versions 18.0.0.2 \u00e0 23.0.0.11 ant\u00e9rieures \u00e0 23.0.0.12",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM versions 7.5 ant\u00e9rieures \u00e0 7.5.0 UP7 IF02",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar Network Packet Capture versions 7.5 ant\u00e9rieures \u00e0 7.5 UP7",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-20900",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20900"
},
{
"name": "CVE-2020-22218",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-22218"
},
{
"name": "CVE-2023-43057",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43057"
},
{
"name": "CVE-2023-35788",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35788"
},
{
"name": "CVE-2023-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
},
{
"name": "CVE-2023-2828",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2828"
},
{
"name": "CVE-2023-3899",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3899"
},
{
"name": "CVE-2023-20593",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20593"
},
{
"name": "CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"name": "CVE-2023-3341",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3341"
},
{
"name": "CVE-2022-48339",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48339"
},
{
"name": "CVE-2022-44730",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44730"
},
{
"name": "CVE-2022-4839",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4839"
},
{
"name": "CVE-2023-24329",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24329"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0958",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-11-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits IBM\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une ex\u00e9cution de code\narbitraire \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7070736 du 10 novembre 2023",
"url": "https://www.ibm.com/support/pages/node/7070736"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7077065 du 15 novembre 2023",
"url": "https://www.ibm.com/support/pages/node/7077065"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7076252 du 15 novembre 2023",
"url": "https://www.ibm.com/support/pages/node/7076252"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7073360 du 14 novembre 2023",
"url": "https://www.ibm.com/support/pages/node/7073360"
}
]
}
FKIE_CVE-2022-44729
Vulnerability from fkie_nvd - Published: 2023-08-22 19:16 - Updated: 2025-02-13 17:15
Severity ?
Summary
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.
On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2023/08/22/2 | Mailing List, Third Party Advisory | |
| security@apache.org | http://www.openwall.com/lists/oss-security/2023/08/22/4 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2 | Mailing List, Vendor Advisory | |
| security@apache.org | https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html | Mailing List | |
| security@apache.org | https://security.gentoo.org/glsa/202401-11 | ||
| security@apache.org | https://xmlgraphics.apache.org/security.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/08/22/2 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/08/22/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202401-11 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://xmlgraphics.apache.org/security.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | xml_graphics_batik | * | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:xml_graphics_batik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F47BF012-F21F-4B92-ADE7-957E3FE338E0",
"versionEndIncluding": "1.16",
"versionStartIncluding": "1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later."
}
],
"id": "CVE-2022-44729",
"lastModified": "2025-02-13T17:15:46.920",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-22T19:16:29.833",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/4"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"
},
{
"source": "security@apache.org",
"url": "https://security.gentoo.org/glsa/202401-11"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://xmlgraphics.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/202401-11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://xmlgraphics.apache.org/security.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
OPENSUSE-SU-2024:13743-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
xmlgraphics-batik-1.17-1.1 on GA media
Notes
Title of the patch
xmlgraphics-batik-1.17-1.1 on GA media
Description of the patch
These are all security issues fixed in the xmlgraphics-batik-1.17-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13743
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "xmlgraphics-batik-1.17-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the xmlgraphics-batik-1.17-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13743",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13743-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41704 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41704/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-42890 page",
"url": "https://www.suse.com/security/cve/CVE-2022-42890/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-44729 page",
"url": "https://www.suse.com/security/cve/CVE-2022-44729/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-44730 page",
"url": "https://www.suse.com/security/cve/CVE-2022-44730/"
}
],
"title": "xmlgraphics-batik-1.17-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13743-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "xmlgraphics-batik-1.17-1.1.aarch64",
"product": {
"name": "xmlgraphics-batik-1.17-1.1.aarch64",
"product_id": "xmlgraphics-batik-1.17-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-css-1.17-1.1.aarch64",
"product": {
"name": "xmlgraphics-batik-css-1.17-1.1.aarch64",
"product_id": "xmlgraphics-batik-css-1.17-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-demo-1.17-1.1.aarch64",
"product": {
"name": "xmlgraphics-batik-demo-1.17-1.1.aarch64",
"product_id": "xmlgraphics-batik-demo-1.17-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"product": {
"name": "xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"product_id": "xmlgraphics-batik-javadoc-1.17-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"product": {
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"product_id": "xmlgraphics-batik-rasterizer-1.17-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"product": {
"name": "xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"product_id": "xmlgraphics-batik-slideshow-1.17-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"product": {
"name": "xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"product_id": "xmlgraphics-batik-squiggle-1.17-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"product": {
"name": "xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"product_id": "xmlgraphics-batik-svgpp-1.17-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"product": {
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"product_id": "xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "xmlgraphics-batik-1.17-1.1.ppc64le",
"product": {
"name": "xmlgraphics-batik-1.17-1.1.ppc64le",
"product_id": "xmlgraphics-batik-1.17-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-css-1.17-1.1.ppc64le",
"product": {
"name": "xmlgraphics-batik-css-1.17-1.1.ppc64le",
"product_id": "xmlgraphics-batik-css-1.17-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"product": {
"name": "xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"product_id": "xmlgraphics-batik-demo-1.17-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"product": {
"name": "xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"product_id": "xmlgraphics-batik-javadoc-1.17-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"product": {
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"product_id": "xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"product": {
"name": "xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"product_id": "xmlgraphics-batik-slideshow-1.17-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"product": {
"name": "xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"product_id": "xmlgraphics-batik-squiggle-1.17-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"product": {
"name": "xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"product_id": "xmlgraphics-batik-svgpp-1.17-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"product": {
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"product_id": "xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "xmlgraphics-batik-1.17-1.1.s390x",
"product": {
"name": "xmlgraphics-batik-1.17-1.1.s390x",
"product_id": "xmlgraphics-batik-1.17-1.1.s390x"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-css-1.17-1.1.s390x",
"product": {
"name": "xmlgraphics-batik-css-1.17-1.1.s390x",
"product_id": "xmlgraphics-batik-css-1.17-1.1.s390x"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-demo-1.17-1.1.s390x",
"product": {
"name": "xmlgraphics-batik-demo-1.17-1.1.s390x",
"product_id": "xmlgraphics-batik-demo-1.17-1.1.s390x"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"product": {
"name": "xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"product_id": "xmlgraphics-batik-javadoc-1.17-1.1.s390x"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"product": {
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"product_id": "xmlgraphics-batik-rasterizer-1.17-1.1.s390x"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"product": {
"name": "xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"product_id": "xmlgraphics-batik-slideshow-1.17-1.1.s390x"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"product": {
"name": "xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"product_id": "xmlgraphics-batik-squiggle-1.17-1.1.s390x"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"product": {
"name": "xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"product_id": "xmlgraphics-batik-svgpp-1.17-1.1.s390x"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"product": {
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"product_id": "xmlgraphics-batik-ttf2svg-1.17-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "xmlgraphics-batik-1.17-1.1.x86_64",
"product": {
"name": "xmlgraphics-batik-1.17-1.1.x86_64",
"product_id": "xmlgraphics-batik-1.17-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-css-1.17-1.1.x86_64",
"product": {
"name": "xmlgraphics-batik-css-1.17-1.1.x86_64",
"product_id": "xmlgraphics-batik-css-1.17-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-demo-1.17-1.1.x86_64",
"product": {
"name": "xmlgraphics-batik-demo-1.17-1.1.x86_64",
"product_id": "xmlgraphics-batik-demo-1.17-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"product": {
"name": "xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"product_id": "xmlgraphics-batik-javadoc-1.17-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"product": {
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"product_id": "xmlgraphics-batik-rasterizer-1.17-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"product": {
"name": "xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"product_id": "xmlgraphics-batik-slideshow-1.17-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"product": {
"name": "xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"product_id": "xmlgraphics-batik-squiggle-1.17-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"product": {
"name": "xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"product_id": "xmlgraphics-batik-svgpp-1.17-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64",
"product": {
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64",
"product_id": "xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-1.17-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64"
},
"product_reference": "xmlgraphics-batik-1.17-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-1.17-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le"
},
"product_reference": "xmlgraphics-batik-1.17-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-1.17-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x"
},
"product_reference": "xmlgraphics-batik-1.17-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-1.17-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64"
},
"product_reference": "xmlgraphics-batik-1.17-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-css-1.17-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64"
},
"product_reference": "xmlgraphics-batik-css-1.17-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-css-1.17-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le"
},
"product_reference": "xmlgraphics-batik-css-1.17-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-css-1.17-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x"
},
"product_reference": "xmlgraphics-batik-css-1.17-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-css-1.17-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64"
},
"product_reference": "xmlgraphics-batik-css-1.17-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-demo-1.17-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64"
},
"product_reference": "xmlgraphics-batik-demo-1.17-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-demo-1.17-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le"
},
"product_reference": "xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-demo-1.17-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x"
},
"product_reference": "xmlgraphics-batik-demo-1.17-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-demo-1.17-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64"
},
"product_reference": "xmlgraphics-batik-demo-1.17-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-javadoc-1.17-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64"
},
"product_reference": "xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-javadoc-1.17-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le"
},
"product_reference": "xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-javadoc-1.17-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x"
},
"product_reference": "xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-javadoc-1.17-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64"
},
"product_reference": "xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64"
},
"product_reference": "xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le"
},
"product_reference": "xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x"
},
"product_reference": "xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-rasterizer-1.17-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64"
},
"product_reference": "xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-slideshow-1.17-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64"
},
"product_reference": "xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-slideshow-1.17-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le"
},
"product_reference": "xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-slideshow-1.17-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x"
},
"product_reference": "xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-slideshow-1.17-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64"
},
"product_reference": "xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-squiggle-1.17-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64"
},
"product_reference": "xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-squiggle-1.17-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le"
},
"product_reference": "xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-squiggle-1.17-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x"
},
"product_reference": "xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-squiggle-1.17-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64"
},
"product_reference": "xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-svgpp-1.17-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64"
},
"product_reference": "xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-svgpp-1.17-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le"
},
"product_reference": "xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-svgpp-1.17-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x"
},
"product_reference": "xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-svgpp-1.17-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64"
},
"product_reference": "xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64"
},
"product_reference": "xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le"
},
"product_reference": "xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x"
},
"product_reference": "xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
},
"product_reference": "xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-41704",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41704"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41704",
"url": "https://www.suse.com/security/cve/CVE-2022-41704"
},
{
"category": "external",
"summary": "SUSE Bug 1204704 for CVE-2022-41704",
"url": "https://bugzilla.suse.com/1204704"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-41704"
},
{
"cve": "CVE-2022-42890",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-42890"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-42890",
"url": "https://www.suse.com/security/cve/CVE-2022-42890"
},
{
"category": "external",
"summary": "SUSE Bug 1204709 for CVE-2022-42890",
"url": "https://bugzilla.suse.com/1204709"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-42890"
},
{
"cve": "CVE-2022-44729",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-44729"
}
],
"notes": [
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.\n\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-44729",
"url": "https://www.suse.com/security/cve/CVE-2022-44729"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-44729"
},
{
"cve": "CVE-2022-44730",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-44730"
}
],
"notes": [
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nA malicious SVG can probe user profile / data and send it directly as parameter to a URL.\n\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-44730",
"url": "https://www.suse.com/security/cve/CVE-2022-44730"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-css-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-demo-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-javadoc-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-rasterizer-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-slideshow-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-squiggle-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-svgpp-1.17-1.1.x86_64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.aarch64",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.ppc64le",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.s390x",
"openSUSE Tumbleweed:xmlgraphics-batik-ttf2svg-1.17-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-44730"
}
]
}
WID-SEC-W-2024-0124
Vulnerability from csaf_certbund - Published: 2024-01-16 23:00 - Updated: 2024-01-16 23:00Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Financial Services ist eine Zusammenstellung von Anwendungen f\u00fcr den Finanzsektor und eine Technologiebasis zur Erf\u00fcllung von IT- und Gesch\u00e4ftsanforderungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0124 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0124.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0124 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0124"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - January 2024 - Appendix Oracle Financial Services Applications vom 2024-01-16",
"url": "https://www.oracle.com/security-alerts/cpujan2024.html#AppendixIFLX"
}
],
"source_lang": "en-US",
"title": "Oracle Financial Services Applications: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-01-16T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:03:50.294+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2024-0124",
"initial_release_date": "2024-01-16T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-01-16T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Financial Services Applications 2.7.1",
"product": {
"name": "Oracle Financial Services Applications 2.7.1",
"product_id": "T018979",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:2.7.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 2.8.0",
"product": {
"name": "Oracle Financial Services Applications 2.8.0",
"product_id": "T018980",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:2.8.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 2.9.0",
"product": {
"name": "Oracle Financial Services Applications 2.9.0",
"product_id": "T018981",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:2.9.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.0",
"product": {
"name": "Oracle Financial Services Applications 8.1.0",
"product_id": "T018983",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.0.9",
"product": {
"name": "Oracle Financial Services Applications 8.0.9",
"product_id": "T019890",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.9"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.1",
"product": {
"name": "Oracle Financial Services Applications 8.1.1",
"product_id": "T019891",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.0.7",
"product": {
"name": "Oracle Financial Services Applications 8.0.7",
"product_id": "T021676",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.7"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.0.8",
"product": {
"name": "Oracle Financial Services Applications 8.0.8",
"product_id": "T021677",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.1.1",
"product": {
"name": "Oracle Financial Services Applications 8.1.1.1",
"product_id": "T022835",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.1.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.0.8.1",
"product": {
"name": "Oracle Financial Services Applications 8.0.8.1",
"product_id": "T022844",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.0.8.2",
"product": {
"name": "Oracle Financial Services Applications 8.0.8.2",
"product_id": "T024990",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8.2"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 2.9.1",
"product": {
"name": "Oracle Financial Services Applications 2.9.1",
"product_id": "T027359",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:2.9.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.2",
"product": {
"name": "Oracle Financial Services Applications 8.1.2",
"product_id": "T028705",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.2.5",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.5",
"product_id": "T028706",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.5"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications \u003c= 14.7.0",
"product": {
"name": "Oracle Financial Services Applications \u003c= 14.7.0",
"product_id": "T028707",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.7.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 22.1.0",
"product": {
"name": "Oracle Financial Services Applications 22.1.0",
"product_id": "T032101",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:22.1.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 22.2.0",
"product": {
"name": "Oracle Financial Services Applications 22.2.0",
"product_id": "T032102",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:22.2.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 21.1.0",
"product": {
"name": "Oracle Financial Services Applications 21.1.0",
"product_id": "T032103",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:21.1.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.2.6",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.6",
"product_id": "T032104",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.6"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 19.1.0",
"product": {
"name": "Oracle Financial Services Applications 19.1.0",
"product_id": "T032105",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:19.1.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 5.0.0",
"product": {
"name": "Oracle Financial Services Applications 5.0.0",
"product_id": "T032106",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:5.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 5.1.0",
"product": {
"name": "Oracle Financial Services Applications 5.1.0",
"product_id": "T032107",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:5.1.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications \u003c= 3.2.0",
"product": {
"name": "Oracle Financial Services Applications \u003c= 3.2.0",
"product_id": "T032108",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:3.2.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 4.0.0",
"product": {
"name": "Oracle Financial Services Applications 4.0.0",
"product_id": "T032109",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:4.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 6.0.0",
"product": {
"name": "Oracle Financial Services Applications 6.0.0",
"product_id": "T032110",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:6.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 14.7.0.3.0",
"product": {
"name": "Oracle Financial Services Applications 14.7.0.3.0",
"product_id": "T032111",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.7.0.3.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 3.0.0",
"product": {
"name": "Oracle Financial Services Applications 3.0.0",
"product_id": "T032112",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:3.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 3.1.0",
"product": {
"name": "Oracle Financial Services Applications 3.1.0",
"product_id": "T032113",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:3.1.0"
}
}
}
],
"category": "product_name",
"name": "Financial Services Applications"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-5072",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-5072"
},
{
"cve": "CVE-2023-46604",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-46604"
},
{
"cve": "CVE-2023-44483",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-44483"
},
{
"cve": "CVE-2023-42503",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-42503"
},
{
"cve": "CVE-2023-34034",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-34034"
},
{
"cve": "CVE-2023-33201",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-33201"
},
{
"cve": "CVE-2023-2976",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-2976"
},
{
"cve": "CVE-2023-2618",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-2618"
},
{
"cve": "CVE-2023-24998",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-24998"
},
{
"cve": "CVE-2023-21901",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-21901"
},
{
"cve": "CVE-2023-1436",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-1436"
},
{
"cve": "CVE-2023-1370",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-1370"
},
{
"cve": "CVE-2022-44729",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-44729"
},
{
"cve": "CVE-2022-42920",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-42920"
},
{
"cve": "CVE-2022-42003",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-42003"
},
{
"cve": "CVE-2022-36944",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-36944"
},
{
"cve": "CVE-2022-36033",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-36033"
},
{
"cve": "CVE-2022-34169",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-34169"
},
{
"cve": "CVE-2022-31692",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-31692"
},
{
"cve": "CVE-2022-31160",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-31160"
},
{
"cve": "CVE-2022-25147",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-25147"
},
{
"cve": "CVE-2022-22979",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-22979"
},
{
"cve": "CVE-2022-22969",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-22969"
},
{
"cve": "CVE-2020-5410",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2020-5410"
},
{
"cve": "CVE-2020-15250",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T032104",
"T032105",
"T032102",
"T032103",
"T032109",
"T032106",
"T032107",
"T019890",
"T019891",
"T032101",
"T018980",
"T018981",
"T021677",
"T022844",
"T018983",
"T021676",
"T028705",
"T028706",
"T027359",
"T032113",
"T032111",
"T032112",
"T032110",
"T022835",
"T018979",
"T024990"
],
"last_affected": [
"T028707",
"T032108"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2020-15250"
}
]
}
WID-SEC-W-2023-2674
Vulnerability from csaf_certbund - Published: 2023-10-17 22:00 - Updated: 2023-12-26 23:00Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Fusion Middleware b\u00fcndelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-2674 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2674.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-2674 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2674"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - October 2023 - Appendix Oracle Fusion Middleware vom 2023-10-17",
"url": "https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixFMW"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2023-409 vom 2023-12-23",
"url": "https://www.dell.com/support/kbdoc/000220669/dsa-2023-="
}
],
"source_lang": "en-US",
"title": "Oracle Fusion Middleware: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-12-26T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:59:59.153+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-2674",
"initial_release_date": "2023-10-17T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-10-17T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-12-26T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Dell aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Fusion Middleware 12.2.1.3.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.3.0",
"product_id": "618028",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.3.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product_id": "751674",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.4.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product": {
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product_id": "829576",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:14.1.1.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 8.5.6",
"product": {
"name": "Oracle Fusion Middleware 8.5.6",
"product_id": "T024993",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:8.5.6"
}
}
}
],
"category": "product_name",
"name": "Fusion Middleware"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-39022",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-39022"
},
{
"cve": "CVE-2023-35887",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-35887"
},
{
"cve": "CVE-2023-35116",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-35116"
},
{
"cve": "CVE-2023-34462",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-34462"
},
{
"cve": "CVE-2023-2976",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-2976"
},
{
"cve": "CVE-2023-28708",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-28708"
},
{
"cve": "CVE-2023-28484",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-28484"
},
{
"cve": "CVE-2023-2650",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-2650"
},
{
"cve": "CVE-2023-24998",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-24998"
},
{
"cve": "CVE-2023-22127",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22127"
},
{
"cve": "CVE-2023-22126",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22126"
},
{
"cve": "CVE-2023-22108",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22108"
},
{
"cve": "CVE-2023-22101",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22101"
},
{
"cve": "CVE-2023-22089",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22089"
},
{
"cve": "CVE-2023-22086",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22086"
},
{
"cve": "CVE-2023-22072",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22072"
},
{
"cve": "CVE-2023-22069",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22069"
},
{
"cve": "CVE-2023-22019",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22019"
},
{
"cve": "CVE-2023-20863",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-20863"
},
{
"cve": "CVE-2023-1436",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-1436"
},
{
"cve": "CVE-2022-45690",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-45690"
},
{
"cve": "CVE-2022-45688",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-45688"
},
{
"cve": "CVE-2022-44729",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-44729"
},
{
"cve": "CVE-2022-42920",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-42920"
},
{
"cve": "CVE-2022-42004",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-42004"
},
{
"cve": "CVE-2022-37436",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-37436"
},
{
"cve": "CVE-2022-29599",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-29599"
},
{
"cve": "CVE-2022-29546",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-29546"
},
{
"cve": "CVE-2022-24839",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-24839"
},
{
"cve": "CVE-2022-23491",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-23491"
},
{
"cve": "CVE-2021-37714",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2021-37714"
},
{
"cve": "CVE-2021-37136",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2021-37136"
},
{
"cve": "CVE-2021-36374",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2021-36374"
},
{
"cve": "CVE-2021-28165",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2021-28165"
},
{
"cve": "CVE-2020-13956",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2020-13956"
},
{
"cve": "CVE-2019-10086",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2019-10086"
}
]
}
WID-SEC-W-2023-2673
Vulnerability from csaf_certbund - Published: 2023-10-17 22:00 - Updated: 2023-11-12 23:00Summary
Oracle Database Server: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Die Oracle Datenbank ist ein weit verbreitetes relationales Datenbanksystem.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Database Server ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Die Oracle Datenbank ist ein weit verbreitetes relationales Datenbanksystem.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Database Server ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-2673 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2673.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-2673 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2673"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7070736 vom 2023-11-10",
"url": "https://www.ibm.com/support/pages/node/7070736"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - October 2023 - Appendix Oracle Database Server vom 2023-10-17",
"url": "https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixDB"
}
],
"source_lang": "en-US",
"title": "Oracle Database Server: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-11-12T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:59:58.906+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-2673",
"initial_release_date": "2023-10-17T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-10-17T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-11-12T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM QRadar SIEM \u003c 7.5.0 UP7 IF02",
"product": {
"name": "IBM QRadar SIEM \u003c 7.5.0 UP7 IF02",
"product_id": "T031043",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up7_if02"
}
}
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Database Server \u003c= 19.20",
"product": {
"name": "Oracle Database Server \u003c= 19.20",
"product_id": "T030573",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:database_server:19.20"
}
}
},
{
"category": "product_name",
"name": "Oracle Database Server \u003c= 21.11",
"product": {
"name": "Oracle Database Server \u003c= 21.11",
"product_id": "T030574",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:database_server:21.11"
}
}
}
],
"category": "product_name",
"name": "Database Server"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-38039",
"notes": [
{
"category": "description",
"text": "In Oracle Database Server existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T031043"
],
"last_affected": [
"T030574",
"T030573"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-38039"
},
{
"cve": "CVE-2023-35116",
"notes": [
{
"category": "description",
"text": "In Oracle Database Server existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T031043"
],
"last_affected": [
"T030574",
"T030573"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-35116"
},
{
"cve": "CVE-2023-22096",
"notes": [
{
"category": "description",
"text": "In Oracle Database Server existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T031043"
],
"last_affected": [
"T030574",
"T030573"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22096"
},
{
"cve": "CVE-2023-22077",
"notes": [
{
"category": "description",
"text": "In Oracle Database Server existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T031043"
],
"last_affected": [
"T030574",
"T030573"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22077"
},
{
"cve": "CVE-2023-22075",
"notes": [
{
"category": "description",
"text": "In Oracle Database Server existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T031043"
],
"last_affected": [
"T030574",
"T030573"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22075"
},
{
"cve": "CVE-2023-22074",
"notes": [
{
"category": "description",
"text": "In Oracle Database Server existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T031043"
],
"last_affected": [
"T030574",
"T030573"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22074"
},
{
"cve": "CVE-2023-22073",
"notes": [
{
"category": "description",
"text": "In Oracle Database Server existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T031043"
],
"last_affected": [
"T030574",
"T030573"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22073"
},
{
"cve": "CVE-2023-22071",
"notes": [
{
"category": "description",
"text": "In Oracle Database Server existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T031043"
],
"last_affected": [
"T030574",
"T030573"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2023-22071"
},
{
"cve": "CVE-2022-44729",
"notes": [
{
"category": "description",
"text": "In Oracle Database Server existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T031043"
],
"last_affected": [
"T030574",
"T030573"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-44729"
},
{
"cve": "CVE-2022-23491",
"notes": [
{
"category": "description",
"text": "In Oracle Database Server existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T031043"
],
"last_affected": [
"T030574",
"T030573"
]
},
"release_date": "2023-10-17T22:00:00.000+00:00",
"title": "CVE-2022-23491"
}
]
}
WID-SEC-W-2024-0088
Vulnerability from csaf_certbund - Published: 2024-01-15 23:00 - Updated: 2024-01-15 23:00Summary
IBM Maximo Asset Management: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Maximo Asset Management ist ein Enterprise-Asset-Management-System, das umfassenden Support für Assets, Maintenance, Ressourcen und Supply-Chain-Management-Anforderungen bietet.
Angriff
Ein Angreifer kann mehrere Schwachstellen in IBM Maximo Asset Management ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder beliebigen Programmcode auszuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Maximo Asset Management ist ein Enterprise-Asset-Management-System, das umfassenden Support f\u00fcr Assets, Maintenance, Ressourcen und Supply-Chain-Management-Anforderungen bietet.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in IBM Maximo Asset Management ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder beliebigen Programmcode auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0088 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0088.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0088 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0088"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 7107714 vom 2024-01-15",
"url": "https://www.ibm.com/support/pages/node/7107714"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 7107738 vom 2024-01-15",
"url": "https://www.ibm.com/support/pages/node/7107738"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 7107741 vom 2024-01-15",
"url": "https://www.ibm.com/support/pages/node/7107741"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 7107715 vom 2024-01-15",
"url": "https://www.ibm.com/support/pages/node/7107715"
}
],
"source_lang": "en-US",
"title": "IBM Maximo Asset Management: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-01-15T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:03:38.768+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2024-0088",
"initial_release_date": "2024-01-15T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-01-15T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM Maximo Asset Management 7.6.1",
"product": {
"name": "IBM Maximo Asset Management 7.6.1",
"product_id": "389168",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:maximo_asset_management:7.6.1"
}
}
}
],
"category": "vendor",
"name": "IBM"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-44730",
"notes": [
{
"category": "description",
"text": "In IBM Maximo Asset Management existieren mehrere Schwachstellen. Diese sind auf verschiedene Fehler in den Komponenten \"google-oauth-client\", \"Apache Batik\" sowie \"Eclipse Jetty\" zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder einen Denial of Service Zustand herbeizuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"389168"
]
},
"release_date": "2024-01-15T23:00:00.000+00:00",
"title": "CVE-2022-44730"
},
{
"cve": "CVE-2022-44729",
"notes": [
{
"category": "description",
"text": "In IBM Maximo Asset Management existieren mehrere Schwachstellen. Diese sind auf verschiedene Fehler in den Komponenten \"google-oauth-client\", \"Apache Batik\" sowie \"Eclipse Jetty\" zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder einen Denial of Service Zustand herbeizuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"389168"
]
},
"release_date": "2024-01-15T23:00:00.000+00:00",
"title": "CVE-2022-44729"
},
{
"cve": "CVE-2021-22573",
"notes": [
{
"category": "description",
"text": "In IBM Maximo Asset Management existieren mehrere Schwachstellen. Diese sind auf verschiedene Fehler in den Komponenten \"google-oauth-client\", \"Apache Batik\" sowie \"Eclipse Jetty\" zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder einen Denial of Service Zustand herbeizuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"389168"
]
},
"release_date": "2024-01-15T23:00:00.000+00:00",
"title": "CVE-2021-22573"
},
{
"cve": "CVE-2020-7692",
"notes": [
{
"category": "description",
"text": "In IBM Maximo Asset Management existieren mehrere Schwachstellen. Diese sind auf verschiedene Fehler in den Komponenten \"google-oauth-client\", \"Apache Batik\" sowie \"Eclipse Jetty\" zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder einen Denial of Service Zustand herbeizuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"389168"
]
},
"release_date": "2024-01-15T23:00:00.000+00:00",
"title": "CVE-2020-7692"
},
{
"cve": "CVE-2023-47718",
"notes": [
{
"category": "description",
"text": "In IBM Maximo Asset Management existiert eine Schwachstelle. Diese ist auf eine Anf\u00e4lligkeit f\u00fcr einen Cross-Site-Request-Forgery-Angriff zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"389168"
]
},
"release_date": "2024-01-15T23:00:00.000+00:00",
"title": "CVE-2023-47718"
}
]
}
WID-SEC-W-2024-0096
Vulnerability from csaf_certbund - Published: 2024-01-15 23:00 - Updated: 2024-01-17 23:00Summary
Atlassian Jira Service Management Data Center and Server: Schwachstelle ermöglicht Offenlegung von Informationen und DoS
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Jira ist eine Webanwendung zur Softwareentwicklung.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Atlassian Jira Service Management Data Center and Server ausnutzen, um Informationen offenzulegen oder einen Denial of Servie zu verursachen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Jira ist eine Webanwendung zur Softwareentwicklung.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Atlassian Jira Service Management Data Center and Server ausnutzen, um Informationen offenzulegen oder einen Denial of Servie zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0096 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0096.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0096 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0096"
},
{
"category": "external",
"summary": "Atlassian Security Advisory vom 2024-01-15",
"url": "https://jira.atlassian.com/browse/JSDSERVER-14958"
}
],
"source_lang": "en-US",
"title": "Atlassian Jira Service Management Data Center and Server: Schwachstelle erm\u00f6glicht Offenlegung von Informationen und DoS",
"tracking": {
"current_release_date": "2024-01-17T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:03:41.278+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2024-0096",
"initial_release_date": "2024-01-15T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-01-15T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-01-17T23:00:00.000+00:00",
"number": "2",
"summary": "Produktversion angepasst"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Atlassian Jira Software Service Management \u003c 4.20.30",
"product": {
"name": "Atlassian Jira Software Service Management \u003c 4.20.30",
"product_id": "T032243",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira_software:service_management__4.20.30"
}
}
},
{
"category": "product_name",
"name": "Atlassian Jira Software Service Management \u003c 5.12.2",
"product": {
"name": "Atlassian Jira Software Service Management \u003c 5.12.2",
"product_id": "T032244",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira_software:service_management__5.12.2"
}
}
},
{
"category": "product_name",
"name": "Atlassian Jira Software Service Management \u003c 5.4.15",
"product": {
"name": "Atlassian Jira Software Service Management \u003c 5.4.15",
"product_id": "T032245",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira_software:service_management__5.4.15"
}
}
}
],
"category": "product_name",
"name": "Jira Software"
}
],
"category": "vendor",
"name": "Atlassian"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-44729",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in der Atlassian Jira Service Management Data Center and Server. Dieser Fehler besteht in der Komponente org.apache.xmlgraphics:batik-bridge aufgrund eines Server-Side Request Forgery Problems. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen oder einen Denial of Service zu verursachen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
}
],
"release_date": "2024-01-15T23:00:00.000+00:00",
"title": "CVE-2022-44729"
}
]
}
WID-SEC-W-2024-0122
Vulnerability from csaf_certbund - Published: 2024-01-16 23:00 - Updated: 2024-01-16 23:00Summary
Oracle Hyperion: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Hyperion bietet Lösungen für Business Intelligence, Planung und Konsolidierung.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Hyperion ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Hyperion bietet L\u00f6sungen f\u00fcr Business Intelligence, Planung und Konsolidierung.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Hyperion ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0122 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0122.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0122 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0122"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - January 2024 - Appendix Oracle Hyperion vom 2024-01-16",
"url": "https://www.oracle.com/security-alerts/cpujan2024.html#AppendixHYP"
}
],
"source_lang": "en-US",
"title": "Oracle Hyperion: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-01-16T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:03:49.620+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2024-0122",
"initial_release_date": "2024-01-16T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-01-16T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Hyperion 11.2.14.0.000",
"product": {
"name": "Oracle Hyperion 11.2.14.0.000",
"product_id": "T030605",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:hyperion:11.2.14.0.000"
}
}
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-5072",
"notes": [
{
"category": "description",
"text": "In Oracle Hyperion existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T030605"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-5072"
},
{
"cve": "CVE-2023-50164",
"notes": [
{
"category": "description",
"text": "In Oracle Hyperion existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T030605"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-50164"
},
{
"cve": "CVE-2022-44729",
"notes": [
{
"category": "description",
"text": "In Oracle Hyperion existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T030605"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-44729"
},
{
"cve": "CVE-2022-37434",
"notes": [
{
"category": "description",
"text": "In Oracle Hyperion existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T030605"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-37434"
},
{
"cve": "CVE-2021-42575",
"notes": [
{
"category": "description",
"text": "In Oracle Hyperion existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T030605"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2021-42575"
},
{
"cve": "CVE-2021-29425",
"notes": [
{
"category": "description",
"text": "In Oracle Hyperion existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T030605"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2021-29425"
},
{
"cve": "CVE-2019-10086",
"notes": [
{
"category": "description",
"text": "In Oracle Hyperion existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T030605"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2019-10086"
}
]
}
WID-SEC-W-2024-0123
Vulnerability from csaf_certbund - Published: 2024-01-16 23:00 - Updated: 2024-01-16 23:00Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Fusion Middleware b\u00fcndelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0123 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0123.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0123 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0123"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - January 2024 - Appendix Oracle Fusion Middleware vom 2024-01-16",
"url": "https://www.oracle.com/security-alerts/cpujan2024.html#AppendixFMW"
}
],
"source_lang": "en-US",
"title": "Oracle Fusion Middleware: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-01-16T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:03:49.864+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2024-0123",
"initial_release_date": "2024-01-16T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-01-16T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product_id": "751674",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.4.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product": {
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product_id": "829576",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:14.1.1.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 8.5.6",
"product": {
"name": "Oracle Fusion Middleware 8.5.6",
"product_id": "T024993",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:8.5.6"
}
}
}
],
"category": "product_name",
"name": "Fusion Middleware"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-20986",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2024-20986"
},
{
"cve": "CVE-2024-20931",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2024-20931"
},
{
"cve": "CVE-2024-20930",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2024-20930"
},
{
"cve": "CVE-2024-20928",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2024-20928"
},
{
"cve": "CVE-2024-20927",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2024-20927"
},
{
"cve": "CVE-2024-20908",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2024-20908"
},
{
"cve": "CVE-2023-5072",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-5072"
},
{
"cve": "CVE-2023-49093",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-49093"
},
{
"cve": "CVE-2023-46604",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-46604"
},
{
"cve": "CVE-2023-44487",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-44487"
},
{
"cve": "CVE-2023-44483",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-44483"
},
{
"cve": "CVE-2023-43643",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-43643"
},
{
"cve": "CVE-2023-42503",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-42503"
},
{
"cve": "CVE-2023-39410",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-39410"
},
{
"cve": "CVE-2023-38545",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-38545"
},
{
"cve": "CVE-2023-3817",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-3817"
},
{
"cve": "CVE-2023-3635",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-3635"
},
{
"cve": "CVE-2023-33201",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-33201"
},
{
"cve": "CVE-2023-32697",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-32697"
},
{
"cve": "CVE-2023-2976",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-2976"
},
{
"cve": "CVE-2023-21949",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2023-21949"
},
{
"cve": "CVE-2022-44729",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-44729"
},
{
"cve": "CVE-2022-23221",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2022-23221"
},
{
"cve": "CVE-2021-37533",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2021-37533"
},
{
"cve": "CVE-2021-36090",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2021-36090"
},
{
"cve": "CVE-2021-33813",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2021-33813"
},
{
"cve": "CVE-2021-0341",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2021-0341"
},
{
"cve": "CVE-2020-5421",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"751674",
"829576"
]
},
"release_date": "2024-01-16T23:00:00.000+00:00",
"title": "CVE-2020-5421"
}
]
}
RHSA-2023_5441
Vulnerability from csaf_redhat - Published: 2023-10-04 11:59 - Updated: 2024-12-16 18:32Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 4.0.0 release and security update
Notes
Topic
Red Hat Integration Camel for Spring Boot 4.0.0 release and security update is now available.
Red Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Integration Camel for Spring Boot 4.0.0 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
* batik: Server-Side Request Forgery vulnerability (CVE-2022-44729)
* batik: Server-Side Request Forgery vulnerability (CVE-2022-44730)
* apache-ivy: XML External Entity vulnerability (CVE-2022-46751)
* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)
* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)
* apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale (CVE-2023-33008)
* netty: io.netty:netty-handler: SniHandler 16MB allocation (CVE-2023-34462)
* jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Integration Camel for Spring Boot 4.0.0 release and security update is now available. \n\nRed Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Integration Camel for Spring Boot 4.0.0 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\n* batik: Server-Side Request Forgery vulnerability (CVE-2022-44729)\n\n* batik: Server-Side Request Forgery vulnerability (CVE-2022-44730)\n\n* apache-ivy: XML External Entity vulnerability (CVE-2022-46751)\n\n* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)\n\n* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)\n\n* apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale (CVE-2023-33008)\n\n* netty: io.netty:netty-handler: SniHandler 16MB allocation (CVE-2023-34462)\n\n* jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:5441",
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q4"
},
{
"category": "external",
"summary": "2216888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216888"
},
{
"category": "external",
"summary": "2221135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221135"
},
{
"category": "external",
"summary": "2233112",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233112"
},
{
"category": "external",
"summary": "2233889",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233889"
},
{
"category": "external",
"summary": "2233899",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233899"
},
{
"category": "external",
"summary": "2236340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236340"
},
{
"category": "external",
"summary": "2236341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236341"
},
{
"category": "external",
"summary": "2239634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239634"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_5441.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 4.0.0 release and security update",
"tracking": {
"current_release_date": "2024-12-16T18:32:20+00:00",
"generator": {
"date": "2024-12-16T18:32:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:5441",
"initial_release_date": "2023-10-04T11:59:23+00:00",
"revision_history": [
{
"date": "2023-10-04T11:59:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-10-04T11:59:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-16T18:32:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHINT Camel-Springboot 4.0.0",
"product": {
"name": "RHINT Camel-Springboot 4.0.0",
"product_id": "RHINT Camel-Springboot 4.0.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:camel_spring_boot:4.0.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Integration"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-44729",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2023-08-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2233889"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Batik 1.0 - 1.16. This issue occurs due to a malicious SVG triggering external resources loading by default, causing resource consumption or in some cases information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Server-Side Request Forgery vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-44729"
},
{
"category": "external",
"summary": "RHBZ#2233889",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233889"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-44729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44729"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gq5f-xv48-2365",
"url": "https://github.com/advisories/GHSA-gq5f-xv48-2365"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2",
"url": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2"
}
],
"release_date": "2023-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Server-Side Request Forgery vulnerability"
},
{
"cve": "CVE-2022-44730",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2023-08-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2233899"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Batik, where a malicious SVG can probe user profile data and send it directly as parameter to a URL. This issue can allow an attacker to conduct SSRF attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Server-Side Request Forgery vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-44730"
},
{
"category": "external",
"summary": "RHBZ#2233899",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233899"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-44730",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44730"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-44730",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44730"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-2474-2566-3qxp",
"url": "https://github.com/advisories/GHSA-2474-2566-3qxp"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0",
"url": "https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0"
}
],
"release_date": "2023-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Server-Side Request Forgery vulnerability"
},
{
"cve": "CVE-2022-46751",
"cwe": {
"id": "CWE-91",
"name": "XML Injection (aka Blind XPath Injection)"
},
"discovery_date": "2023-08-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2233112"
}
],
"notes": [
{
"category": "description",
"text": "Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.\n\nWhen Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.\n\nThis can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.\n\nStarting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.\n\nUsers of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about \"JAXP Properties for External Access restrictions\" inside Oracle\u0027s \"Java API for XML Processing (JAXP) Security Guide\".\n\n",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-ivy: XML External Entity vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46751"
},
{
"category": "external",
"summary": "RHBZ#2233112",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233112"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46751"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8",
"url": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8"
}
],
"release_date": "2023-08-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-ivy: XML External Entity vulnerability"
},
{
"cve": "CVE-2023-26048",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-08-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2236340"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the jetty-server package. A servlet with multipart support could get an OutOfMemorryError when the client sends a part that has a name but no filename and substantial content. This flaw allows a malicious user to jeopardize the environment by leaving the JVM in an unreliable state.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-26048"
},
{
"category": "external",
"summary": "RHBZ#2236340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-26048",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26048"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26048",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26048"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8"
}
],
"release_date": "2023-04-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()"
},
{
"cve": "CVE-2023-26049",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2023-08-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2236341"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the jetty-server package. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies or otherwise perform unintended behavior by tampering with the cookie parsing mechanism.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-26049"
},
{
"category": "external",
"summary": "RHBZ#2236341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-26049",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26049"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26049",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26049"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c"
}
],
"release_date": "2023-04-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies"
},
{
"cve": "CVE-2023-33008",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2023-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2221135"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Johnzon. This issue could allow an attacker to craft a specific JSON input that Johnzon will deserialize into a BigDecimal, which Johnzon may use to start converting large numbers, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-33008"
},
{
"category": "external",
"summary": "RHBZ#2221135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221135"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-33008",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33008"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-33008",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33008"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l",
"url": "https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l"
}
],
"release_date": "2023-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale"
},
{
"cve": "CVE-2023-34462",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2216888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty\u0027s SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: SniHandler 16MB allocation leads to OOM",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-34462"
},
{
"category": "external",
"summary": "RHBZ#2216888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462"
}
],
"release_date": "2023-06-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
},
{
"category": "workaround",
"details": "Configuration of SniHandler with an idle timeout will mitigate this issue.",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: SniHandler 16MB allocation leads to OOM"
},
{
"cve": "CVE-2023-40167",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"discovery_date": "2023-09-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2239634"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jetty that permits a plus sign (+) preceding the content-length value in a HTTP/1 header field, which is non-standard and more permissive than RFC. This issue could allow an attacker to request smuggling in conjunction with a server that does not close connections after 400 responses.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: Improper validation of HTTP/1 content-length",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-40167"
},
{
"category": "external",
"summary": "RHBZ#2239634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239634"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-40167",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40167"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-40167",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40167"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6"
},
{
"category": "external",
"summary": "https://www.rfc-editor.org/rfc/rfc9110#section-8.6",
"url": "https://www.rfc-editor.org/rfc/rfc9110#section-8.6"
}
],
"release_date": "2023-09-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: Improper validation of HTTP/1 content-length"
}
]
}
RHSA-2024:1353
Vulnerability from csaf_redhat - Published: 2024-03-18 09:47 - Updated: 2025-11-21 18:57Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.5 security update
Notes
Topic
An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.
Details
Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This asynchronous security patch is an update to Red Hat Process Automation Manager 7.
Security Fixes:
* JSON-java: parser confusion leads to OOM (CVE-2023-5072)
* okio: GzipSource class improper exception handling (CVE-2023-3635)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* batik: Server-Side Request Forgery vulnerability (CVE-2022-44729)
* batik: Server-Side Request Forgery vulnerability (CVE-2022-44730)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)
* RESTEasy: creation of insecure temp files (CVE-2023-0482)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* JSON-java: parser confusion leads to OOM (CVE-2023-5072)\n\n* okio: GzipSource class improper exception handling (CVE-2023-3635)\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow (CVE-2022-41966)\n\n* batik: Server-Side Request Forgery vulnerability (CVE-2022-44729)\n\n* batik: Server-Side Request Forgery vulnerability (CVE-2022-44730)\n\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)\n\n* RESTEasy: creation of insecure temp files (CVE-2023-0482)\n\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n\nFor more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:1353",
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2134292",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134292"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2166004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
},
{
"category": "external",
"summary": "2170431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431"
},
{
"category": "external",
"summary": "2215465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215465"
},
{
"category": "external",
"summary": "2229295",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229295"
},
{
"category": "external",
"summary": "2233889",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233889"
},
{
"category": "external",
"summary": "2233899",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233899"
},
{
"category": "external",
"summary": "2246417",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246417"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_1353.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.5 security update",
"tracking": {
"current_release_date": "2025-11-21T18:57:21+00:00",
"generator": {
"date": "2025-11-21T18:57:21+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2024:1353",
"initial_release_date": "2024-03-18T09:47:51+00:00",
"revision_history": [
{
"date": "2024-03-18T09:47:51+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-03-18T09:47:51+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:57:21+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHPAM 7.13.5 async",
"product": {
"name": "RHPAM 7.13.5 async",
"product_id": "RHPAM 7.13.5 async",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-40151",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134292"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40151"
},
{
"category": "external",
"summary": "RHBZ#2134292",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134292"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40151",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-41966",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2023-02-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170431"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41966"
},
{
"category": "external",
"summary": "RHBZ#2170431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41966",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41966"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv"
}
],
"release_date": "2022-12-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow"
},
{
"cve": "CVE-2022-44729",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2023-08-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2233889"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Batik 1.0 - 1.16. This issue occurs due to a malicious SVG triggering external resources loading by default, causing resource consumption or in some cases information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Server-Side Request Forgery vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-44729"
},
{
"category": "external",
"summary": "RHBZ#2233889",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233889"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-44729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44729"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gq5f-xv48-2365",
"url": "https://github.com/advisories/GHSA-gq5f-xv48-2365"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2",
"url": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2"
}
],
"release_date": "2023-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Server-Side Request Forgery vulnerability"
},
{
"cve": "CVE-2022-44730",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2023-08-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2233899"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Batik, where a malicious SVG can probe user profile data and send it directly as parameter to a URL. This issue can allow an attacker to conduct SSRF attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Server-Side Request Forgery vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-44730"
},
{
"category": "external",
"summary": "RHBZ#2233899",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233899"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-44730",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44730"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-44730",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44730"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-2474-2566-3qxp",
"url": "https://github.com/advisories/GHSA-2474-2566-3qxp"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0",
"url": "https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0"
}
],
"release_date": "2023-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Server-Side Request Forgery vulnerability"
},
{
"cve": "CVE-2023-0482",
"cwe": {
"id": "CWE-378",
"name": "Creation of Temporary File With Insecure Permissions"
},
"discovery_date": "2023-01-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2166004"
}
],
"notes": [
{
"category": "description",
"text": "In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: creation of insecure temp files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0482"
},
{
"category": "external",
"summary": "RHBZ#2166004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0482",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0482"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482"
}
],
"release_date": "2023-01-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "RESTEasy: creation of insecure temp files"
},
{
"cve": "CVE-2023-3635",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2023-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2229295"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in SquareUp Okio. A class GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This issue may allow a malicious user to start processing a malformed file, which can result in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "okio: GzipSource class improper exception handling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat JBoss Enterprise Application Platform XP does contain Okio package but is not using GzipSource.java, which is the affected class.\nRed Hat support for Spring Boot is considered low impact as it\u0027s used by Dekorate during compilation process and not included in the resulting Jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-3635"
},
{
"category": "external",
"summary": "RHBZ#2229295",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229295"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-3635",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3635"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3635",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3635"
}
],
"release_date": "2023-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "okio: GzipSource class improper exception handling"
},
{
"cve": "CVE-2023-5072",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-10-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2246417"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.json package. A bug in the parser exists, and an input string may lead to undefined usage of memory, leading to an out-of-memory error, causing a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JSON-java: parser confusion leads to OOM",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability may cause denial of service with a small string input, causing the server to be unresponsive easily, hence the Important impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-5072"
},
{
"category": "external",
"summary": "RHBZ#2246417",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246417"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-5072",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5072"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-5072",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5072"
},
{
"category": "external",
"summary": "https://github.com/stleary/JSON-java/issues/758",
"url": "https://github.com/stleary/JSON-java/issues/758"
},
{
"category": "external",
"summary": "https://github.com/stleary/JSON-java/issues/771",
"url": "https://github.com/stleary/JSON-java/issues/771"
}
],
"release_date": "2023-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
},
{
"category": "workaround",
"details": "No current mitigation is available for this flaw.",
"product_ids": [
"RHPAM 7.13.5 async"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "JSON-java: parser confusion leads to OOM"
},
{
"cve": "CVE-2023-6481",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-12-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2252956"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the logback package. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption (\u0027Resource Exhaustion\u0027) via the logback receiver component. This flaw allows an attacker to mount a denial-of-service attack by sending poisoned data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "logback: A serialization vulnerability in logback receiver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The security vulnerability in the logback package is considered of moderate severity due to its potential for facilitating a denial-of-service (DoS) attack. While a DoS attack can disrupt service availability, this vulnerability may not lead to more severe consequences such as unauthorized access or data breaches.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-6481"
},
{
"category": "external",
"summary": "RHBZ#2252956",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252956"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-6481",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6481"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-6481",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6481"
}
],
"release_date": "2023-12-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"RHPAM 7.13.5 async"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "logback: A serialization vulnerability in logback receiver"
},
{
"cve": "CVE-2023-6717",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-12-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2253952"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS via assertion consumer service URL in SAML POST-binding flow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-6717"
},
{
"category": "external",
"summary": "RHBZ#2253952",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253952"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-6717",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-6717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6717"
}
],
"release_date": "2024-04-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS via assertion consumer service URL in SAML POST-binding flow"
},
{
"cve": "CVE-2023-33201",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-06-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2215465"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: potential blind LDAP injection attack using a self-signed certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-33201"
},
{
"category": "external",
"summary": "RHBZ#2215465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215465"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-33201",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33201"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-33201",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33201"
},
{
"category": "external",
"summary": "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201",
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201"
}
],
"release_date": "2023-06-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: potential blind LDAP injection attack using a self-signed certificate"
}
]
}
RHSA-2023:5441
Vulnerability from csaf_redhat - Published: 2023-10-04 11:59 - Updated: 2025-11-21 18:45Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 4.0.0 release and security update
Notes
Topic
Red Hat Integration Camel for Spring Boot 4.0.0 release and security update is now available.
Red Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Integration Camel for Spring Boot 4.0.0 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
* batik: Server-Side Request Forgery vulnerability (CVE-2022-44729)
* batik: Server-Side Request Forgery vulnerability (CVE-2022-44730)
* apache-ivy: XML External Entity vulnerability (CVE-2022-46751)
* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)
* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)
* apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale (CVE-2023-33008)
* netty: io.netty:netty-handler: SniHandler 16MB allocation (CVE-2023-34462)
* jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Integration Camel for Spring Boot 4.0.0 release and security update is now available. \n\nRed Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Integration Camel for Spring Boot 4.0.0 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\n* batik: Server-Side Request Forgery vulnerability (CVE-2022-44729)\n\n* batik: Server-Side Request Forgery vulnerability (CVE-2022-44730)\n\n* apache-ivy: XML External Entity vulnerability (CVE-2022-46751)\n\n* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)\n\n* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)\n\n* apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale (CVE-2023-33008)\n\n* netty: io.netty:netty-handler: SniHandler 16MB allocation (CVE-2023-34462)\n\n* jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:5441",
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q4"
},
{
"category": "external",
"summary": "2216888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216888"
},
{
"category": "external",
"summary": "2221135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221135"
},
{
"category": "external",
"summary": "2233112",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233112"
},
{
"category": "external",
"summary": "2233889",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233889"
},
{
"category": "external",
"summary": "2233899",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233899"
},
{
"category": "external",
"summary": "2236340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236340"
},
{
"category": "external",
"summary": "2236341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236341"
},
{
"category": "external",
"summary": "2239634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239634"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_5441.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 4.0.0 release and security update",
"tracking": {
"current_release_date": "2025-11-21T18:45:55+00:00",
"generator": {
"date": "2025-11-21T18:45:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:5441",
"initial_release_date": "2023-10-04T11:59:23+00:00",
"revision_history": [
{
"date": "2023-10-04T11:59:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-10-04T11:59:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:45:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHINT Camel-Springboot 4.0.0",
"product": {
"name": "RHINT Camel-Springboot 4.0.0",
"product_id": "RHINT Camel-Springboot 4.0.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:camel_spring_boot:4.0.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Integration"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-44729",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2023-08-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2233889"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Batik 1.0 - 1.16. This issue occurs due to a malicious SVG triggering external resources loading by default, causing resource consumption or in some cases information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Server-Side Request Forgery vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-44729"
},
{
"category": "external",
"summary": "RHBZ#2233889",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233889"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-44729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44729"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gq5f-xv48-2365",
"url": "https://github.com/advisories/GHSA-gq5f-xv48-2365"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2",
"url": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2"
}
],
"release_date": "2023-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Server-Side Request Forgery vulnerability"
},
{
"cve": "CVE-2022-44730",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2023-08-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2233899"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Batik, where a malicious SVG can probe user profile data and send it directly as parameter to a URL. This issue can allow an attacker to conduct SSRF attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Server-Side Request Forgery vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-44730"
},
{
"category": "external",
"summary": "RHBZ#2233899",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233899"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-44730",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44730"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-44730",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44730"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-2474-2566-3qxp",
"url": "https://github.com/advisories/GHSA-2474-2566-3qxp"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0",
"url": "https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0"
}
],
"release_date": "2023-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Server-Side Request Forgery vulnerability"
},
{
"cve": "CVE-2022-46751",
"cwe": {
"id": "CWE-91",
"name": "XML Injection (aka Blind XPath Injection)"
},
"discovery_date": "2023-08-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2233112"
}
],
"notes": [
{
"category": "description",
"text": "Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.\n\nWhen Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.\n\nThis can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.\n\nStarting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.\n\nUsers of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about \"JAXP Properties for External Access restrictions\" inside Oracle\u0027s \"Java API for XML Processing (JAXP) Security Guide\".",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-ivy: XML External Entity vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46751"
},
{
"category": "external",
"summary": "RHBZ#2233112",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233112"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46751"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8",
"url": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8"
}
],
"release_date": "2023-08-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-ivy: XML External Entity vulnerability"
},
{
"cve": "CVE-2023-26048",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-08-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2236340"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the jetty-server package. A servlet with multipart support could get an OutOfMemorryError when the client sends a part that has a name but no filename and substantial content. This flaw allows a malicious user to jeopardize the environment by leaving the JVM in an unreliable state.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-26048"
},
{
"category": "external",
"summary": "RHBZ#2236340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-26048",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26048"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26048",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26048"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8"
}
],
"release_date": "2023-04-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()"
},
{
"cve": "CVE-2023-26049",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2023-08-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2236341"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the jetty-server package. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies or otherwise perform unintended behavior by tampering with the cookie parsing mechanism.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-26049"
},
{
"category": "external",
"summary": "RHBZ#2236341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-26049",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26049"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26049",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26049"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c"
}
],
"release_date": "2023-04-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies"
},
{
"cve": "CVE-2023-33008",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2023-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2221135"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Johnzon. This issue could allow an attacker to craft a specific JSON input that Johnzon will deserialize into a BigDecimal, which Johnzon may use to start converting large numbers, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-33008"
},
{
"category": "external",
"summary": "RHBZ#2221135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221135"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-33008",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33008"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-33008",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33008"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l",
"url": "https://lists.apache.org/thread/qbg14djo95gfpk7o560lr8wcrzfyw43l"
}
],
"release_date": "2023-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale"
},
{
"cve": "CVE-2023-34462",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2216888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty\u0027s SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: SniHandler 16MB allocation leads to OOM",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-34462"
},
{
"category": "external",
"summary": "RHBZ#2216888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462"
}
],
"release_date": "2023-06-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
},
{
"category": "workaround",
"details": "Configuration of SniHandler with an idle timeout will mitigate this issue.",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: SniHandler 16MB allocation leads to OOM"
},
{
"cve": "CVE-2023-40167",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"discovery_date": "2023-09-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2239634"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jetty that permits a plus sign (+) preceding the content-length value in a HTTP/1 header field, which is non-standard and more permissive than RFC. This issue could allow an attacker to request smuggling in conjunction with a server that does not close connections after 400 responses.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: Improper validation of HTTP/1 content-length",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 4.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-40167"
},
{
"category": "external",
"summary": "RHBZ#2239634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239634"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-40167",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40167"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-40167",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40167"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6"
},
{
"category": "external",
"summary": "https://www.rfc-editor.org/rfc/rfc9110#section-8.6",
"url": "https://www.rfc-editor.org/rfc/rfc9110#section-8.6"
}
],
"release_date": "2023-09-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-04T11:59:23+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHINT Camel-Springboot 4.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 4.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: Improper validation of HTTP/1 content-length"
}
]
}
RHSA-2024_1353
Vulnerability from csaf_redhat - Published: 2024-03-18 09:47 - Updated: 2024-12-17 23:03Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.5 security update
Notes
Topic
An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.
Details
Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This asynchronous security patch is an update to Red Hat Process Automation Manager 7.
Security Fixes:
* JSON-java: parser confusion leads to OOM (CVE-2023-5072)
* okio: GzipSource class improper exception handling (CVE-2023-3635)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* batik: Server-Side Request Forgery vulnerability (CVE-2022-44729)
* batik: Server-Side Request Forgery vulnerability (CVE-2022-44730)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)
* RESTEasy: creation of insecure temp files (CVE-2023-0482)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* JSON-java: parser confusion leads to OOM (CVE-2023-5072)\n\n* okio: GzipSource class improper exception handling (CVE-2023-3635)\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow (CVE-2022-41966)\n\n* batik: Server-Side Request Forgery vulnerability (CVE-2022-44729)\n\n* batik: Server-Side Request Forgery vulnerability (CVE-2022-44730)\n\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)\n\n* RESTEasy: creation of insecure temp files (CVE-2023-0482)\n\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n\nFor more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:1353",
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2134292",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134292"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2166004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
},
{
"category": "external",
"summary": "2170431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431"
},
{
"category": "external",
"summary": "2215465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215465"
},
{
"category": "external",
"summary": "2229295",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229295"
},
{
"category": "external",
"summary": "2233889",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233889"
},
{
"category": "external",
"summary": "2233899",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233899"
},
{
"category": "external",
"summary": "2246417",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246417"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_1353.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.5 security update",
"tracking": {
"current_release_date": "2024-12-17T23:03:00+00:00",
"generator": {
"date": "2024-12-17T23:03:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2024:1353",
"initial_release_date": "2024-03-18T09:47:51+00:00",
"revision_history": [
{
"date": "2024-03-18T09:47:51+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-03-18T09:47:51+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T23:03:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHPAM 7.13.5 async",
"product": {
"name": "RHPAM 7.13.5 async",
"product_id": "RHPAM 7.13.5 async",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-40151",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134292"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40151"
},
{
"category": "external",
"summary": "RHBZ#2134292",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134292"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40151",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-41966",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2023-02-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170431"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41966"
},
{
"category": "external",
"summary": "RHBZ#2170431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41966",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41966"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv"
}
],
"release_date": "2022-12-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow"
},
{
"cve": "CVE-2022-44729",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2023-08-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2233889"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Batik 1.0 - 1.16. This issue occurs due to a malicious SVG triggering external resources loading by default, causing resource consumption or in some cases information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Server-Side Request Forgery vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-44729"
},
{
"category": "external",
"summary": "RHBZ#2233889",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233889"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-44729",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-44729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44729"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gq5f-xv48-2365",
"url": "https://github.com/advisories/GHSA-gq5f-xv48-2365"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2",
"url": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2"
}
],
"release_date": "2023-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Server-Side Request Forgery vulnerability"
},
{
"cve": "CVE-2022-44730",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2023-08-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2233899"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Batik, where a malicious SVG can probe user profile data and send it directly as parameter to a URL. This issue can allow an attacker to conduct SSRF attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Server-Side Request Forgery vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-44730"
},
{
"category": "external",
"summary": "RHBZ#2233899",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233899"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-44730",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44730"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-44730",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44730"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-2474-2566-3qxp",
"url": "https://github.com/advisories/GHSA-2474-2566-3qxp"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0",
"url": "https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0"
}
],
"release_date": "2023-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Server-Side Request Forgery vulnerability"
},
{
"cve": "CVE-2023-0482",
"cwe": {
"id": "CWE-378",
"name": "Creation of Temporary File With Insecure Permissions"
},
"discovery_date": "2023-01-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2166004"
}
],
"notes": [
{
"category": "description",
"text": "In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: creation of insecure temp files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0482"
},
{
"category": "external",
"summary": "RHBZ#2166004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0482",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0482"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482"
}
],
"release_date": "2023-01-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "RESTEasy: creation of insecure temp files"
},
{
"cve": "CVE-2023-3635",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2023-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2229295"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in SquareUp Okio. A class GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This issue may allow a malicious user to start processing a malformed file, which can result in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "okio: GzipSource class improper exception handling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat JBoss Enterprise Application Platform XP does contain Okio package but is not using GzipSource.java, which is the affected class.\nRed Hat support for Spring Boot is considered low impact as it\u0027s used by Dekorate during compilation process and not included in the resulting Jar.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-3635"
},
{
"category": "external",
"summary": "RHBZ#2229295",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229295"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-3635",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3635"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3635",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3635"
}
],
"release_date": "2023-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "okio: GzipSource class improper exception handling"
},
{
"cve": "CVE-2023-5072",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-10-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2246417"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.json package. A bug in the parser exists, and an input string may lead to undefined usage of memory, leading to an out-of-memory error, causing a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "JSON-java: parser confusion leads to OOM",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability may cause denial of service with a small string input, causing the server to be unresponsive easily, hence the Important impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-5072"
},
{
"category": "external",
"summary": "RHBZ#2246417",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246417"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-5072",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5072"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-5072",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5072"
},
{
"category": "external",
"summary": "https://github.com/stleary/JSON-java/issues/758",
"url": "https://github.com/stleary/JSON-java/issues/758"
},
{
"category": "external",
"summary": "https://github.com/stleary/JSON-java/issues/771",
"url": "https://github.com/stleary/JSON-java/issues/771"
}
],
"release_date": "2023-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
},
{
"category": "workaround",
"details": "No current mitigation is available for this flaw.",
"product_ids": [
"RHPAM 7.13.5 async"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "JSON-java: parser confusion leads to OOM"
},
{
"cve": "CVE-2023-6481",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-12-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2252956"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the logback package. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption (\u0027Resource Exhaustion\u0027) via the logback receiver component. This flaw allows an attacker to mount a denial-of-service attack by sending poisoned data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "logback: A serialization vulnerability in logback receiver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The security vulnerability in the logback package is considered of moderate severity due to its potential for facilitating a denial-of-service (DoS) attack. While a DoS attack can disrupt service availability, this vulnerability may not lead to more severe consequences such as unauthorized access or data breaches.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-6481"
},
{
"category": "external",
"summary": "RHBZ#2252956",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252956"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-6481",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6481"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-6481",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6481"
}
],
"release_date": "2023-12-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"RHPAM 7.13.5 async"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "logback: A serialization vulnerability in logback receiver"
},
{
"cve": "CVE-2023-6717",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-12-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2253952"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS via assertion consumer service URL in SAML POST-binding flow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-6717"
},
{
"category": "external",
"summary": "RHBZ#2253952",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253952"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-6717",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-6717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6717"
}
],
"release_date": "2024-04-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS via assertion consumer service URL in SAML POST-binding flow"
},
{
"cve": "CVE-2023-33201",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-06-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2215465"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: potential blind LDAP injection attack using a self-signed certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.5 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-33201"
},
{
"category": "external",
"summary": "RHBZ#2215465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215465"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-33201",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33201"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-33201",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33201"
},
{
"category": "external",
"summary": "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201",
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201"
}
],
"release_date": "2023-06-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-03-18T09:47:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.5 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1353"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.5 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: potential blind LDAP injection attack using a self-signed certificate"
}
]
}
GSD-2022-44729
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.
On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-44729",
"id": "GSD-2022-44729"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-44729"
],
"details": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.\n\n",
"id": "GSD-2022-44729",
"modified": "2023-12-13T01:19:25.280491Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-44729",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache XML Graphics Batik",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "1.16"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credits": [
{
"lang": "en",
"value": "nbxiglk"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.\n\n"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-918",
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://xmlgraphics.apache.org/security.html",
"refsource": "MISC",
"url": "https://xmlgraphics.apache.org/security.html"
},
{
"name": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2"
},
{
"name": "http://www.openwall.com/lists/oss-security/2023/08/22/2",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/2"
},
{
"name": "http://www.openwall.com/lists/oss-security/2023/08/22/4",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/4"
},
{
"name": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html",
"refsource": "MISC",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"
},
{
"name": "https://security.gentoo.org/glsa/202401-11",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202401-11"
}
]
},
"source": {
"defect": [
"BATIK-1349"
],
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:xml_graphics_batik:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F47BF012-F21F-4B92-ADE7-957E3FE338E0",
"versionEndIncluding": "1.16",
"versionStartIncluding": "1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.\n\n"
}
],
"id": "CVE-2022-44729",
"lastModified": "2024-01-07T11:15:10.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-22T19:16:29.833",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/4"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"
},
{
"source": "security@apache.org",
"url": "https://security.gentoo.org/glsa/202401-11"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://xmlgraphics.apache.org/security.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
}
}
}
SUSE-SU-2024:0808-1
Vulnerability from csaf_suse - Published: 2024-03-07 19:46 - Updated: 2024-03-07 19:46Summary
Security update for xmlgraphics-batik
Notes
Title of the patch
Security update for xmlgraphics-batik
Description of the patch
This update for xmlgraphics-batik fixes the following issues:
- CVE-2022-41704: Fixed information disclosure vulnerability in Apache Batik (bsc#1204704).
- CVE-2022-42890: Fixed information disclosure vulnerability in Apache Batik (bsc#1204709).
- CVE-2022-44730: Fixed Server-Side Request Forgery.
- CVE-2022-44729: Fixed Server-Side Request Forgery.
Upgrade to version 1.17.
Patchnames
SUSE-2024-808,SUSE-SLE-Module-Development-Tools-15-SP5-2024-808,openSUSE-SLE-15.5-2024-808
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for xmlgraphics-batik",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for xmlgraphics-batik fixes the following issues:\n\n- CVE-2022-41704: Fixed information disclosure vulnerability in Apache Batik (bsc#1204704).\n- CVE-2022-42890: Fixed information disclosure vulnerability in Apache Batik (bsc#1204709).\n- CVE-2022-44730: Fixed Server-Side Request Forgery.\n- CVE-2022-44729: Fixed Server-Side Request Forgery.\n\nUpgrade to version 1.17.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-808,SUSE-SLE-Module-Development-Tools-15-SP5-2024-808,openSUSE-SLE-15.5-2024-808",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_0808-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:0808-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20240808-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:0808-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2024-March/034578.html"
},
{
"category": "self",
"summary": "SUSE Bug 1204704",
"url": "https://bugzilla.suse.com/1204704"
},
{
"category": "self",
"summary": "SUSE Bug 1204709",
"url": "https://bugzilla.suse.com/1204709"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41704 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41704/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-42890 page",
"url": "https://www.suse.com/security/cve/CVE-2022-42890/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-44729 page",
"url": "https://www.suse.com/security/cve/CVE-2022-44729/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-44730 page",
"url": "https://www.suse.com/security/cve/CVE-2022-44730/"
}
],
"title": "Security update for xmlgraphics-batik",
"tracking": {
"current_release_date": "2024-03-07T19:46:57Z",
"generator": {
"date": "2024-03-07T19:46:57Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:0808-1",
"initial_release_date": "2024-03-07T19:46:57Z",
"revision_history": [
{
"date": "2024-03-07T19:46:57Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"product_id": "xmlgraphics-batik-1.17-150200.4.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"product_id": "xmlgraphics-batik-css-1.17-150200.4.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"product_id": "xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"product_id": "xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"product_id": "xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"product_id": "xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"product_id": "xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"product_id": "xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch",
"product_id": "xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp5"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-1.17-150200.4.7.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-css-1.17-150200.4.7.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-1.17-150200.4.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-css-1.17-150200.4.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-41704",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41704"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41704",
"url": "https://www.suse.com/security/cve/CVE-2022-41704"
},
{
"category": "external",
"summary": "SUSE Bug 1204704 for CVE-2022-41704",
"url": "https://bugzilla.suse.com/1204704"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-07T19:46:57Z",
"details": "moderate"
}
],
"title": "CVE-2022-41704"
},
{
"cve": "CVE-2022-42890",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-42890"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-42890",
"url": "https://www.suse.com/security/cve/CVE-2022-42890"
},
{
"category": "external",
"summary": "SUSE Bug 1204709 for CVE-2022-42890",
"url": "https://bugzilla.suse.com/1204709"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-07T19:46:57Z",
"details": "moderate"
}
],
"title": "CVE-2022-42890"
},
{
"cve": "CVE-2022-44729",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-44729"
}
],
"notes": [
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-44729",
"url": "https://www.suse.com/security/cve/CVE-2022-44729"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-07T19:46:57Z",
"details": "important"
}
],
"title": "CVE-2022-44729"
},
{
"cve": "CVE-2022-44730",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-44730"
}
],
"notes": [
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nA malicious SVG can probe user profile / data and send it directly as parameter to a URL.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-44730",
"url": "https://www.suse.com/security/cve/CVE-2022-44730"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-css-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-demo-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-javadoc-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-rasterizer-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-slideshow-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-squiggle-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-svgpp-1.17-150200.4.7.1.noarch",
"openSUSE Leap 15.5:xmlgraphics-batik-ttf2svg-1.17-150200.4.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-07T19:46:57Z",
"details": "moderate"
}
],
"title": "CVE-2022-44730"
}
]
}
SUSE-SU-2024:0777-1
Vulnerability from csaf_suse - Published: 2024-03-06 11:54 - Updated: 2024-03-06 11:54Summary
Security update for xmlgraphics-batik
Notes
Title of the patch
Security update for xmlgraphics-batik
Description of the patch
This update for xmlgraphics-batik fixes the following issues:
- CVE-2017-5662: Fixed Apache Batik information disclosure vulnerability (bsc#1034675).
- CVE-2019-17566: Fixed SSRF vulnerability (bsc#1172961).
- CVE-2020-11987: Fixed Apache XML Graphics Batik SSRF vulnerability (bsc#1182748).
- CVE-2022-38398: Fixed information disclosure vulnerability (bsc#1203674).
- CVE-2022-38648: Fixed information disclosure vulnerability (bsc#1203673).
- CVE-2022-40146: Fixed information disclosure vulnerability (bsc#1203672).
- CVE-2022-41704: Fixed information disclosure vulnerability in Apache Batik (bsc#1204704).
- CVE-2022-42890: Fixed information disclosure vulnerability in Apache Batik (bsc#1204709).
- CVE-2022-44729: Fixed Server-Side Request Forgery.
- CVE-2022-44730: Fixed Server-Side Request Forgery.
Upgrade to version 1.17.
Patchnames
SUSE-2024-777,SUSE-SLE-SDK-12-SP5-2024-777
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for xmlgraphics-batik",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for xmlgraphics-batik fixes the following issues:\n\n- CVE-2017-5662: Fixed Apache Batik information disclosure vulnerability (bsc#1034675).\n- CVE-2019-17566: Fixed SSRF vulnerability (bsc#1172961).\n- CVE-2020-11987: Fixed Apache XML Graphics Batik SSRF vulnerability (bsc#1182748).\n- CVE-2022-38398: Fixed information disclosure vulnerability (bsc#1203674).\n- CVE-2022-38648: Fixed information disclosure vulnerability (bsc#1203673).\n- CVE-2022-40146: Fixed information disclosure vulnerability (bsc#1203672).\n- CVE-2022-41704: Fixed information disclosure vulnerability in Apache Batik (bsc#1204704).\n- CVE-2022-42890: Fixed information disclosure vulnerability in Apache Batik (bsc#1204709).\n- CVE-2022-44729: Fixed Server-Side Request Forgery.\n- CVE-2022-44730: Fixed Server-Side Request Forgery.\n\nUpgrade to version 1.17.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-777,SUSE-SLE-SDK-12-SP5-2024-777",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_0777-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:0777-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20240777-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:0777-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018100.html"
},
{
"category": "self",
"summary": "SUSE Bug 1034675",
"url": "https://bugzilla.suse.com/1034675"
},
{
"category": "self",
"summary": "SUSE Bug 1172961",
"url": "https://bugzilla.suse.com/1172961"
},
{
"category": "self",
"summary": "SUSE Bug 1182748",
"url": "https://bugzilla.suse.com/1182748"
},
{
"category": "self",
"summary": "SUSE Bug 1203672",
"url": "https://bugzilla.suse.com/1203672"
},
{
"category": "self",
"summary": "SUSE Bug 1203673",
"url": "https://bugzilla.suse.com/1203673"
},
{
"category": "self",
"summary": "SUSE Bug 1203674",
"url": "https://bugzilla.suse.com/1203674"
},
{
"category": "self",
"summary": "SUSE Bug 1204704",
"url": "https://bugzilla.suse.com/1204704"
},
{
"category": "self",
"summary": "SUSE Bug 1204709",
"url": "https://bugzilla.suse.com/1204709"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-5662 page",
"url": "https://www.suse.com/security/cve/CVE-2017-5662/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-17566 page",
"url": "https://www.suse.com/security/cve/CVE-2019-17566/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11987 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11987/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-38398 page",
"url": "https://www.suse.com/security/cve/CVE-2022-38398/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-38648 page",
"url": "https://www.suse.com/security/cve/CVE-2022-38648/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-40146 page",
"url": "https://www.suse.com/security/cve/CVE-2022-40146/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41704 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41704/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-42890 page",
"url": "https://www.suse.com/security/cve/CVE-2022-42890/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-44729 page",
"url": "https://www.suse.com/security/cve/CVE-2022-44729/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-44730 page",
"url": "https://www.suse.com/security/cve/CVE-2022-44730/"
}
],
"title": "Security update for xmlgraphics-batik",
"tracking": {
"current_release_date": "2024-03-06T11:54:24Z",
"generator": {
"date": "2024-03-06T11:54:24Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:0777-1",
"initial_release_date": "2024-03-06T11:54:24Z",
"revision_history": [
{
"date": "2024-03-06T11:54:24Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "xmlgraphics-batik-1.17-2.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-1.17-2.7.1.noarch",
"product_id": "xmlgraphics-batik-1.17-2.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-demo-1.17-2.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-demo-1.17-2.7.1.noarch",
"product_id": "xmlgraphics-batik-demo-1.17-2.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-javadoc-1.17-2.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-javadoc-1.17-2.7.1.noarch",
"product_id": "xmlgraphics-batik-javadoc-1.17-2.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-rasterizer-1.17-2.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-rasterizer-1.17-2.7.1.noarch",
"product_id": "xmlgraphics-batik-rasterizer-1.17-2.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-slideshow-1.17-2.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-slideshow-1.17-2.7.1.noarch",
"product_id": "xmlgraphics-batik-slideshow-1.17-2.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-squiggle-1.17-2.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-squiggle-1.17-2.7.1.noarch",
"product_id": "xmlgraphics-batik-squiggle-1.17-2.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-svgpp-1.17-2.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-svgpp-1.17-2.7.1.noarch",
"product_id": "xmlgraphics-batik-svgpp-1.17-2.7.1.noarch"
}
},
{
"category": "product_version",
"name": "xmlgraphics-batik-ttf2svg-1.17-2.7.1.noarch",
"product": {
"name": "xmlgraphics-batik-ttf2svg-1.17-2.7.1.noarch",
"product_id": "xmlgraphics-batik-ttf2svg-1.17-2.7.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Software Development Kit 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-sdk:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "xmlgraphics-batik-1.17-2.7.1.noarch as component of SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
},
"product_reference": "xmlgraphics-batik-1.17-2.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-5662",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-5662"
}
],
"notes": [
{
"category": "general",
"text": "In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-5662",
"url": "https://www.suse.com/security/cve/CVE-2017-5662"
},
{
"category": "external",
"summary": "SUSE Bug 1034675 for CVE-2017-5662",
"url": "https://bugzilla.suse.com/1034675"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-06T11:54:24Z",
"details": "important"
}
],
"title": "CVE-2017-5662"
},
{
"cve": "CVE-2019-17566",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-17566"
}
],
"notes": [
{
"category": "general",
"text": "Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-17566",
"url": "https://www.suse.com/security/cve/CVE-2019-17566"
},
{
"category": "external",
"summary": "SUSE Bug 1172961 for CVE-2019-17566",
"url": "https://bugzilla.suse.com/1172961"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-06T11:54:24Z",
"details": "moderate"
}
],
"title": "CVE-2019-17566"
},
{
"cve": "CVE-2020-11987",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11987"
}
],
"notes": [
{
"category": "general",
"text": "Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11987",
"url": "https://www.suse.com/security/cve/CVE-2020-11987"
},
{
"category": "external",
"summary": "SUSE Bug 1182748 for CVE-2020-11987",
"url": "https://bugzilla.suse.com/1182748"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-06T11:54:24Z",
"details": "moderate"
}
],
"title": "CVE-2020-11987"
},
{
"cve": "CVE-2022-38398",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-38398"
}
],
"notes": [
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-38398",
"url": "https://www.suse.com/security/cve/CVE-2022-38398"
},
{
"category": "external",
"summary": "SUSE Bug 1203674 for CVE-2022-38398",
"url": "https://bugzilla.suse.com/1203674"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-06T11:54:24Z",
"details": "moderate"
}
],
"title": "CVE-2022-38398"
},
{
"cve": "CVE-2022-38648",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-38648"
}
],
"notes": [
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-38648",
"url": "https://www.suse.com/security/cve/CVE-2022-38648"
},
{
"category": "external",
"summary": "SUSE Bug 1203673 for CVE-2022-38648",
"url": "https://bugzilla.suse.com/1203673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-06T11:54:24Z",
"details": "moderate"
}
],
"title": "CVE-2022-38648"
},
{
"cve": "CVE-2022-40146",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-40146"
}
],
"notes": [
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-40146",
"url": "https://www.suse.com/security/cve/CVE-2022-40146"
},
{
"category": "external",
"summary": "SUSE Bug 1203672 for CVE-2022-40146",
"url": "https://bugzilla.suse.com/1203672"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-06T11:54:24Z",
"details": "moderate"
}
],
"title": "CVE-2022-40146"
},
{
"cve": "CVE-2022-41704",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41704"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41704",
"url": "https://www.suse.com/security/cve/CVE-2022-41704"
},
{
"category": "external",
"summary": "SUSE Bug 1204704 for CVE-2022-41704",
"url": "https://bugzilla.suse.com/1204704"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-06T11:54:24Z",
"details": "moderate"
}
],
"title": "CVE-2022-41704"
},
{
"cve": "CVE-2022-42890",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-42890"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-42890",
"url": "https://www.suse.com/security/cve/CVE-2022-42890"
},
{
"category": "external",
"summary": "SUSE Bug 1204709 for CVE-2022-42890",
"url": "https://bugzilla.suse.com/1204709"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-06T11:54:24Z",
"details": "moderate"
}
],
"title": "CVE-2022-42890"
},
{
"cve": "CVE-2022-44729",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-44729"
}
],
"notes": [
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-44729",
"url": "https://www.suse.com/security/cve/CVE-2022-44729"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-06T11:54:24Z",
"details": "important"
}
],
"title": "CVE-2022-44729"
},
{
"cve": "CVE-2022-44730",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-44730"
}
],
"notes": [
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nA malicious SVG can probe user profile / data and send it directly as parameter to a URL.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-44730",
"url": "https://www.suse.com/security/cve/CVE-2022-44730"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:xmlgraphics-batik-1.17-2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-03-06T11:54:24Z",
"details": "moderate"
}
],
"title": "CVE-2022-44730"
}
]
}
ICSA-25-261-04
Vulnerability from csaf_cisa - Published: 2025-08-26 09:22 - Updated: 2025-08-26 09:22Summary
Multiple Open-Source Software Vulnerabilities in Hitachi Energy Asset Suite Product
Notes
Summary
Hitachi Energy is aware of multiple reported vulnerabilities that affect the Asset Suite product versions mentioned in this document below. If exploited these vulnerabilities can potentially impact on confidentiality, integrity and availability of the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.
Notice
The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.
Support
For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers.
General Mitigation Factors
Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. Proper password policies and processes should be followed.
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Advisory Conversion Disclaimer
This ICSA is a verbatim republication of Hitachi Energy PSIRT 8DBD000221 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy PSIRT directly for any questions regarding this advisory.
Critical infrastructure sectors
Energy
Countries/areas deployed
Worldwide
Company headquarters location
Switzerland
Recommended Practices
CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.
Recommended Practices
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Recommended Practices
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
{
"document": {
"acknowledgments": [
{
"organization": "Hitachi Energy PSIRT",
"summary": "reporting these vulnerabilities to CISA."
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/specification-document",
"text": "HIGH"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "Hitachi Energy is aware of multiple reported vulnerabilities that affect the Asset Suite product versions mentioned in this document below. If exploited these vulnerabilities can potentially impact on confidentiality, integrity and availability of the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.",
"title": "Summary"
},
{
"category": "legal_disclaimer",
"text": "The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.",
"title": "Notice"
},
{
"category": "general",
"text": "For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers.",
"title": "Support"
},
{
"category": "general",
"text": "Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. Proper password policies and processes should be followed.",
"title": "General Mitigation Factors"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "other",
"text": "This ICSA is a verbatim republication of Hitachi Energy PSIRT 8DBD000221 from a direct conversion of the vendor\u0027s Common Security Advisory Framework (CSAF) advisory. This is republished to CISA\u0027s website as a means of increasing visibility and is provided \"as-is\" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy PSIRT directly for any questions regarding this advisory.",
"title": "Advisory Conversion Disclaimer"
},
{
"category": "other",
"text": "Energy",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Switzerland",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "other",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-25-261-04 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2025/icsa-25-261-04.json"
},
{
"category": "self",
"summary": "Multiple Open-Source Software Vulnerabilities in Hitachi Energy Asset Suite Product",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000221\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=launch"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-25-261-04 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-04"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "Multiple Open-Source Software Vulnerabilities in Hitachi Energy Asset Suite Product",
"tracking": {
"current_release_date": "2025-08-26T09:22:00.000000Z",
"generator": {
"date": "2025-09-18T19:40:10.456523Z",
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-25-261-04",
"initial_release_date": "2025-08-26T09:22:47.000000Z",
"revision_history": [
{
"date": "2025-08-26T09:22:47.000000Z",
"number": "1",
"summary": "Initial version."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/\u003c=9.6.4.5",
"product": {
"name": "Asset Suite versions 9.6.4.5 and prior",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "Asset Suite"
}
],
"category": "vendor",
"name": "Hitachi Energy"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-44729",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"notes": [
{
"category": "description",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik. This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure."
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "NVD - CVE-2022-44729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44729"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Upgrade to version 9.7",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "Apply general mitigation factors",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-44729"
},
{
"cve": "CVE-2023-6378",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "description",
"text": "A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This vulnerability affects logback versions prior to 1.2.13, 1.3.12 and 1.4.12."
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "NVD - CVE-2023-6378",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6378"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Upgrade to version 9.7",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "Apply general mitigation factors",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2023-6378"
},
{
"cve": "CVE-2022-45868",
"cwe": {
"id": "CWE-312",
"name": "Cleartext Storage of Sensitive Information"
},
"notes": [
{
"category": "description",
"text": "The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. The issue was fixed in 2.2.220 by the vendor H2."
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "NVD - CVE-2022-45868",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45868"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Upgrade to version 9.7",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "Apply general mitigation factors",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-45868"
},
{
"cve": "CVE-2025-23184",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "description",
"text": "A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients)."
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "NVD - CVE-2025-23184",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23184"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Upgrade to version 9.7",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "Apply general mitigation factors",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2025-23184"
},
{
"cve": "CVE-2024-22262",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "description",
"text": "Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks."
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "NVD - CVE-2024-22262",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22262"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Upgrade to version 9.7",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "Apply general mitigation factors",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.1,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 8.1,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2024-22262"
},
{
"cve": "CVE-2022-41678",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "description",
"text": "In Apache ActiveMQ, once a user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handle request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through reflection. This could lead to RCE through via various mbeans."
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "NVD - CVE-2022-41678",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41678"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Upgrade to version 9.8 when available",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "Apply general mitigation factors",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2022-41678"
}
]
}
GHSA-GQ5F-XV48-2365
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2025-02-13 19:10
VLAI?
Summary
Apache XML Graphics Batik Server-Side Request Forgery vulnerability
Details
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.
On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.
Severity ?
7.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.xmlgraphics:batik-bridge"
},
"ranges": [
{
"events": [
{
"introduced": "1.0"
},
{
"fixed": "1.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.xmlgraphics:batik-svgrasterizer"
},
"ranges": [
{
"events": [
{
"introduced": "1.0"
},
{
"fixed": "1.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.xmlgraphics:batik-transcoder"
},
"ranges": [
{
"events": [
{
"introduced": "1.0"
},
{
"fixed": "1.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-44729"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-23T17:53:44Z",
"nvd_published_at": "2023-08-22T19:16:29Z",
"severity": "HIGH"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.",
"id": "GHSA-gq5f-xv48-2365",
"modified": "2025-02-13T19:10:32Z",
"published": "2023-08-22T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44729"
},
{
"type": "WEB",
"url": "https://github.com/apache/xmlgraphics-batik/commit/85b3457d9902f64d5d409a8da060d5ba47d0b69b"
},
{
"type": "WEB",
"url": "https://github.com/apache/xmlgraphics-batik/commit/aaa1dd3e6b5a7df781d73e0c37a1df6a8f318893"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/xmlgraphics-batik"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/BATIK-1349"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-11"
},
{
"type": "WEB",
"url": "https://xmlgraphics.apache.org/security.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/08/22/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache XML Graphics Batik Server-Side Request Forgery vulnerability"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…